infected computer ): FRST scan attached

nlu122 · June 21, 2014

Here's the FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 21-06-2014 01

Ran by nate (administrator) on NATHANS on 21-06-2014 09:50:54

Running from C:\Users\nate\Downloads

Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)

Internet Explorer Version 11

Boot Mode: Normal

The only official download link for FRST:

Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Lenovo.) C:\Windows\System32\ibmpmsvc.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe

(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe

(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe

(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\CamMute.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\micmute.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe

(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\MDM.EXE

(McAfee, Inc.) C:\Windows\System32\mfevtps.exe

(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe

(Ulead Systems, Inc.) C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

(McAfee, Inc.) C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\System Update\SUService.exe

(Symantec Corporation) C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\ZOOM\TpScrex.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe

(McAfee, Inc.) C:\Program Files\McAfee.com\Agent\mcagent.exe

(Lenovo.) C:\Windows\System32\TpShocks.exe

() C:\Program Files\CONEXANT\ForteConfig\fmapp.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe

(Lenovo Group Limited) C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe

(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe

(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

(Spotify Ltd) C:\Users\nate\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

(Microsoft Corporation) C:\Windows\System32\StikyNot.exe

(Spotify Ltd) C:\Users\nate\AppData\Roaming\Spotify\spotify.exe

(Microsoft Corporation) C:\Windows\System32\regsvr32.exe

(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

(Dropbox, Inc.) C:\Users\nate\AppData\Roaming\Dropbox\bin\Dropbox.exe

(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

(Ricoh co.,Ltd.) C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe

(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe

(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe

(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe

(Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE

(Lenovo) C:\Program Files\Lenovo\SimpleTap\SimpleTap.exe

(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe

() C:\Users\nate\AppData\Roaming\Spotify\Data\SpotifyHelper.exe

(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe

() C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Google Inc.) C:\Users\nate\AppData\Local\Google\Chrome\Application\chrome.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Google Inc.) C:\Users\nate\AppData\Local\Google\Chrome\Application\chrome.exe

(Intel Corporation) C:\Windows\System32\igfxext.exe

(Intel Corporation) C:\Windows\System32\igfxsrvc.exe

(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [TpShocks] => C:\Windows\system32\TpShocks.exe [380776 2010-12-09] (Lenovo.)

HKLM\...\Run: [ForteConfig] => C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-25] ()

HKLM\...\Run: [smartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [316032 2011-03-14] (Conexant systems, Inc.)

HKLM\...\Run: [LENOVO.TPKNRRES] => C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [41320 2011-04-04] (Lenovo Group Limited)

HKLM\...\Run: [ALCKRESI.EXE] => C:\Program Files\Lenovo\AutoLock\ALCKRESI.EXE [281448 2011-02-28] (Lenovo Group Limited)

HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-03-30] (Adobe Systems Incorporated)

HKLM\...\Run: [intelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)

HKLM\...\Run: [synTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2907448 2012-07-05] (Synaptics Incorporated)

HKLM-x32\...\Run: [RotateImage] => C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe [55808 2008-10-30] (Ricoh co.,Ltd.)

HKLM-x32\...\Run: [PWMTRV] => rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor

HKLM-x32\...\Run: [Lenovo Registration] => C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe [4309184 2011-02-09] (Lenovo, Inc.)

HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [1659976 2011-06-23] (McAfee, Inc.)

HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [switchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [] => [X]

HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41336 2014-05-08] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840568 2014-05-08] (Adobe Systems Inc.)

HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)

HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)

HKLM-x32\...\Run: [bCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)

HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)

HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKLM\...\Policies\Explorer: [NoFolderOptions] 0

HKLM\...\Policies\Explorer: [NoControlPanel] 0

HKU\S-1-5-21-1022412237-4134323410-1441852971-1000\...\Run: [spybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

HKU\S-1-5-21-1022412237-4134323410-1441852971-1000\...\Run: [Facebook Update] => "C:\Users\nate\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver

HKU\S-1-5-21-1022412237-4134323410-1441852971-1000\...\Run: [Google Update] => C:\Users\nate\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2012-01-09] (Google Inc.)

HKU\S-1-5-21-1022412237-4134323410-1441852971-1000\...\Run: [spotify Web Helper] => C:\Users\nate\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1176632 2014-05-15] (Spotify Ltd)

HKU\S-1-5-21-1022412237-4134323410-1441852971-1000\...\Run: [968830F47F5DCD5F4AABA40836FED0EF18F9C861._service_run] => C:\Users\nate\AppData\Local\Google\Chrome\Application\chrome.exe [860488 2014-06-05] (Google Inc.)

HKU\S-1-5-21-1022412237-4134323410-1441852971-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)

HKU\S-1-5-21-1022412237-4134323410-1441852971-1000\...\Run: [spotify] => C:\Users\nate\AppData\Roaming\Spotify\Spotify.exe [6170168 2014-05-15] (Spotify Ltd)

HKU\S-1-5-21-1022412237-4134323410-1441852971-1000\...\MountPoints2: {c89f4fc6-c387-11e0-81f4-806e6f6e6963} - Q:\LenovoQDrive.exe

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

Startup: C:\Users\nate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> C:\Users\nate\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

ShellIconOverlayIdentifiers: 1CryptoProviderIcons -> {24808826-C2BF-4269-B3BA-89D1D5F431A4} => C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll ()

ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File

ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File

ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File

ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File

ShellIconOverlayIdentifiers: GDriveBlacklistedOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)

ShellIconOverlayIdentifiers: GDriveSharedEditOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)

ShellIconOverlayIdentifiers: GDriveSharedOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)

ShellIconOverlayIdentifiers: GDriveSharedViewOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)

ShellIconOverlayIdentifiers: GDriveSyncedOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)

ShellIconOverlayIdentifiers: GDriveSyncingOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)

ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2 (GFS Stub) -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 3 (GFS Folder) -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File

ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File

ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File

ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 2 (GFS Stub) -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 3 (GFS Folder) -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/?type=586383&fr=spigot-yhp-ie

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.msn.com

HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkpad

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkpad

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKLM-x32 - DefaultScope value is missing.

SearchScopes: HKCU - URL http://www.bing.com/search?q={searchTerms}

SearchScopes: HKCU - {9C0639F2-C2ED-4814-9CB3-C69D0260197C} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=586383&p={searchTerms}

SearchScopes: HKCU - {BA709092-8FBD-4A89-9097-24CAEFAA681B} URL =

BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110822153405.dll (McAfee, Inc.)

BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Symantec VIP Access Add-On - {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\64bit\VIPAddOnForIE64.dll (Symantec Corporation)

BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)

BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20121011162822.dll (McAfee, Inc.)

BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Symantec VIP Access Add-On - {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll (Symantec Corporation)

BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

BHO-x32: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File

Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

Handler-x32: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

Handler-x32: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)

Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files (x86)\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Tcpip\..\Interfaces\{3DC09B79-918A-42B2-B483-BA54A14AF754}: [NameServer]8.8.8.8,8.8.8.8

Tcpip\..\Interfaces\{51FEEEDE-6494-4CCD-B694-EF71E60C070E}: [NameServer]8.8.8.8,8.8.8.8

Tcpip\..\Interfaces\{E48734B3-E360-4981-A7A9-8AEA12DB3038}: [NameServer]8.8.8.8,8.8.8.8

FireFox:

========

FF ProfilePath: C:\Users\nate\AppData\Roaming\Mozilla\Firefox\Profiles\ggzx4tok.default

FF DefaultSearchEngine: search

FF SearchEngineOrder.3: Bing

FF SelectedSearchEngine: search

FF Homepage: hxxp://search.yahoo.com/?type=586383&fr=spigot-yhp-ff

FF Keyword.URL: hxxp://www.bing.com/search?FORM=U164HD&PC=U164H&q=

FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_214.dll ()

FF Plugin: @mcafee.com/MSC,version=10 - c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll ()

FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll No File

FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()

FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin-x32: @mcafee.com/MSC,version=10 - c:\progra~2\mcafee\msc\npmcsn~1.dll ()

FF Plugin-x32: @microsoft.com/GENUINE - disabled No File

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Users\nate\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File

FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\nate\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)

FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\nate\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)

FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\nate\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\nate\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\nate\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF Plugin HKCU: amazon.com/AmazonMP3DownloaderPlugin - C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll (Amazon.com, Inc.)

FF Plugin HKCU: pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF Plugin ProgramFiles/Appdata: C:\Users\nate\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)

FF Plugin ProgramFiles/Appdata: C:\Users\nate\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)

FF SearchPlugin: C:\Users\nate\AppData\Roaming\Mozilla\Firefox\Profiles\ggzx4tok.default\searchplugins\yahoo_ff.xml

FF Extension: SvcVwr 1.0 Object - C:\Users\nate\AppData\Roaming\Mozilla\Firefox\Profiles\ggzx4tok.default\Extensions\{863C56C3-D45C-95C1-DF5F-6944590C9551} [2014-06-12]

FF HKLM-x32\...\Firefox\Extensions: [VIP@verisign.com] - C:\Program Files (x86)\Symantec\VIP Access Client

FF Extension: Symantec VIP Access Add-On - C:\Program Files (x86)\Symantec\VIP Access Client [2011-08-10]

FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011-08-28]

FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn

FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011-09-06]

FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011-08-28]

Chrome:

=======

CHR Extension: (Google Drive) - C:\Users\nate\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-11-12]

CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\nate\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-08]

CHR Extension: (YouTube) - C:\Users\nate\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-06-08]

CHR Extension: (Google Search) - C:\Users\nate\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-06-08]

CHR Extension: (AdBlock) - C:\Users\nate\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-06-08]

CHR Extension: (Google Wallet) - C:\Users\nate\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-06-08]

CHR Extension: (Gmail) - C:\Users\nate\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-06-08]

CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\nate\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-11-06]

CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2012-01-17]

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Services (Whitelisted) =================

S2 CCALib8; C:\Program Files (x86)\Canon\CAL\CALMAIN.exe [96341 2006-03-30] (Canon Inc.) [File not signed]

S3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [477032 2011-03-23] (Lenovo.)

R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]

R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-05-21] (Hewlett-Packard Co.) [File not signed]

R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2010-10-22] (Hewlett-Packard Co.) [File not signed]

R2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [93032 2010-04-06] (Lenovo Group Limited)

R2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)

R2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)

R2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)

R2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)

S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [501768 2011-06-23] (McAfee, Inc.)

R2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)

R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [197960 2011-03-13] (McAfee, Inc.)

R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [208272 2011-03-13] (McAfee, Inc.)

R2 mfevtp; C:\Windows\system32\mfevtps.exe [158832 2011-03-13] (McAfee, Inc.)

R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]

R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]

R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

R2 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [28672 2010-12-14] (Lenovo Group Limited) [File not signed]

S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]

R2 UleadBurningHelper; C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2008-01-10] (Ulead Systems, Inc.) [File not signed]

R2 VIPAppService; C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe [82544 2011-07-12] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [65128 2011-03-13] (McAfee, Inc.)

R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [156792 2011-03-13] (McAfee, Inc.)

R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [227856 2011-03-13] (McAfee, Inc.)

U3 mfeavfk01; No ImagePath

R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481376 2011-03-13] (McAfee, Inc.)

R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [639216 2011-03-13] (McAfee, Inc.)

R1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75672 2011-03-13] (McAfee, Inc.)

S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [98728 2011-03-13] (McAfee, Inc.)

R1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [281928 2011-03-13] (McAfee, Inc.)

S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2011-08-10] ()

S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)

R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [27960 2012-07-05] (Synaptics Incorporated)

R3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [41536 2009-09-24] (Lenovo (United States) Inc.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-21 09:50 - 2014-06-21 09:51 - 00033266 _____ () C:\Users\nate\Downloads\FRST.txt

2014-06-21 09:50 - 2014-06-21 09:51 - 00000000 ____D () C:\FRST

2014-06-21 09:47 - 2014-06-21 09:47 - 02083328 _____ (Farbar) C:\Users\nate\Downloads\FRST64.exe

2014-06-21 09:34 - 2014-06-21 09:34 - 05209566 _____ (Swearware) C:\Users\nate\Downloads\ComboFix.exe

2014-06-21 09:31 - 2014-06-21 09:31 - 04485528 _____ (AVG Technologies) C:\Users\nate\Downloads\avg_isct_stb_all_2014_4577_cnet.exe

2014-06-21 09:29 - 2014-06-21 09:29 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\nate\Desktop\tdsskiller (1).exe

2014-06-21 09:28 - 2014-06-21 09:28 - 00000632 _____ () C:\Users\nate\Desktop\JRT.txt

2014-06-21 05:52 - 2014-06-21 05:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee

2014-06-20 16:39 - 2014-06-20 16:39 - 03238523 _____ () C:\Users\nate\Downloads\Chinese Training Materials (2).pptx

2014-06-19 23:49 - 2014-06-19 23:49 - 00000000 ____D () C:\Windows\system32\%LOCALAPPDATA%

2014-06-19 23:46 - 2014-06-20 03:21 - 00000000 ____D () C:\Windows\pss

2014-06-17 07:31 - 2014-06-21 04:50 - 00128728 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-06-17 07:30 - 2014-06-17 07:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-06-17 07:30 - 2014-06-17 07:30 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

2014-06-17 07:30 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2014-06-17 06:31 - 2014-06-17 06:32 - 05268992 _____ () C:\Users\nate\Downloads\RogueKillerX64 (1).exe

2014-06-13 21:37 - 2014-06-13 21:37 - 00011657 _____ () C:\Users\nate\Documents\missions team contact.xlsx

2014-06-13 16:54 - 2014-06-17 01:39 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Sauvzyeb

2014-06-11 17:51 - 2014-06-11 17:51 - 03238523 _____ () C:\Users\nate\Downloads\Chinese Training Materials (1).pptx

2014-06-11 17:50 - 2014-06-11 17:50 - 03238523 _____ () C:\Users\nate\Downloads\Chinese Training Materials.pptx

2014-06-11 08:56 - 2014-05-30 03:21 - 23414784 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-06-11 08:56 - 2014-05-30 03:02 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-06-11 08:56 - 2014-05-30 03:02 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll

2014-06-11 08:56 - 2014-05-30 02:45 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2014-06-11 08:56 - 2014-05-30 02:39 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2014-06-11 08:56 - 2014-05-30 02:39 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll

2014-06-11 08:56 - 2014-05-30 02:38 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll

2014-06-11 08:56 - 2014-05-30 02:28 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2014-06-11 08:56 - 2014-05-30 02:27 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll

2014-06-11 08:56 - 2014-05-30 02:24 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2014-06-11 08:56 - 2014-05-30 02:21 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

2014-06-11 08:56 - 2014-05-30 02:21 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe

2014-06-11 08:56 - 2014-05-30 02:20 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll

2014-06-11 08:56 - 2014-05-30 02:18 - 17271296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2014-06-11 08:56 - 2014-05-30 02:11 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe

2014-06-11 08:56 - 2014-05-30 02:08 - 05782528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2014-06-11 08:56 - 2014-05-30 02:06 - 00452096 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll

2014-06-11 08:56 - 2014-05-30 02:02 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2014-06-11 08:56 - 2014-05-30 01:55 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll

2014-06-11 08:56 - 2014-05-30 01:49 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll

2014-06-11 08:56 - 2014-05-30 01:46 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2014-06-11 08:56 - 2014-05-30 01:44 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2014-06-11 08:56 - 2014-05-30 01:44 - 00295424 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2014-06-11 08:56 - 2014-05-30 01:43 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2014-06-11 08:56 - 2014-05-30 01:42 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll

2014-06-11 08:56 - 2014-05-30 01:38 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2014-06-11 08:56 - 2014-05-30 01:35 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe

2014-06-11 08:56 - 2014-05-30 01:34 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2014-06-11 08:56 - 2014-05-30 01:33 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2014-06-11 08:56 - 2014-05-30 01:30 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2014-06-11 08:56 - 2014-05-30 01:29 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2014-06-11 08:56 - 2014-05-30 01:28 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2014-06-11 08:56 - 2014-05-30 01:27 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll

2014-06-11 08:56 - 2014-05-30 01:24 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll

2014-06-11 08:56 - 2014-05-30 01:23 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2014-06-11 08:56 - 2014-05-30 01:16 - 00368128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll

2014-06-11 08:56 - 2014-05-30 01:10 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll

2014-06-11 08:56 - 2014-05-30 01:06 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll

2014-06-11 08:56 - 2014-05-30 01:04 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2014-06-11 08:56 - 2014-05-30 01:02 - 00242688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll

2014-06-11 08:56 - 2014-05-30 00:56 - 04244992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2014-06-11 08:56 - 2014-05-30 00:56 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2014-06-11 08:56 - 2014-05-30 00:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2014-06-11 08:56 - 2014-05-30 00:50 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll

2014-06-11 08:56 - 2014-05-30 00:49 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2014-06-11 08:56 - 2014-05-30 00:43 - 13522944 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2014-06-11 08:56 - 2014-05-30 00:40 - 11725312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2014-06-11 08:56 - 2014-05-30 00:30 - 01398272 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2014-06-11 08:56 - 2014-05-30 00:21 - 01790976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2014-06-11 08:56 - 2014-05-30 00:15 - 01143296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2014-06-11 08:56 - 2014-05-30 00:13 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

2014-06-11 08:56 - 2014-05-30 00:13 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

2014-06-11 08:56 - 2014-04-24 19:34 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll

2014-06-11 08:56 - 2014-04-24 19:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll

2014-06-11 08:56 - 2014-04-04 19:47 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys

2014-06-11 08:56 - 2014-04-04 19:47 - 00288192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS

2014-06-11 08:56 - 2014-03-26 07:44 - 02002432 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll

2014-06-11 08:56 - 2014-03-26 07:44 - 01882112 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll

2014-06-11 08:56 - 2014-03-26 07:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll

2014-06-11 08:56 - 2014-03-26 07:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll

2014-06-11 08:56 - 2014-03-26 07:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2014-06-11 08:56 - 2014-03-26 07:27 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2014-06-11 08:56 - 2014-03-26 07:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6r.dll

2014-06-11 08:56 - 2014-03-26 07:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll

2014-06-11 08:55 - 2014-06-08 02:13 - 00506368 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll

2014-06-11 08:55 - 2014-06-08 02:08 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

2014-06-09 10:35 - 2014-06-13 21:42 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Uwnoafxa

2014-06-08 21:12 - 2014-06-21 08:51 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-06-08 21:11 - 2014-06-21 05:21 - 00000000 ____D () C:\Users\nate\Desktop\mbar

2014-06-08 21:11 - 2014-06-21 04:48 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-06-08 21:10 - 2014-06-08 21:11 - 14349744 _____ (Malwarebytes Corp.) C:\Users\nate\Downloads\mbar-1.07.0.1012.exe

2014-06-08 21:06 - 2014-06-08 21:06 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\nate\Downloads\tdsskiller.exe

2014-06-06 09:33 - 2014-06-06 09:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes

2014-06-06 09:32 - 2014-06-06 09:33 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2014-06-06 09:32 - 2014-06-06 09:33 - 00000000 ____D () C:\Program Files\iTunes

2014-06-06 09:32 - 2014-06-06 09:33 - 00000000 ____D () C:\Program Files (x86)\iTunes

2014-06-06 09:32 - 2014-06-06 09:32 - 00000000 ____D () C:\Program Files\iPod

2014-06-06 08:22 - 2014-06-06 08:23 - 05245952 _____ () C:\Users\nate\Downloads\RogueKillerX64.exe

2014-06-05 10:27 - 2014-06-08 21:35 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Voywgusi

2014-06-01 01:44 - 2014-06-02 14:12 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Ydabbic

2014-05-31 00:15 - 2014-05-31 00:16 - 01016261 _____ (Thisisu) C:\Users\nate\Downloads\JRT.exe

2014-05-31 00:13 - 2014-05-31 00:13 - 01327971 _____ () C:\Users\nate\Downloads\adwcleaner_3.211.exe

2014-05-31 00:11 - 2014-05-31 00:11 - 00000000 ____D () C:\ProgramData\RogueKiller

2014-05-30 23:49 - 2014-05-30 23:51 - 10971424 _____ (SurfRight B.V.) C:\Users\nate\Downloads\HitmanPro_x64.exe

2014-05-28 19:42 - 2014-05-28 19:42 - 00022209 _____ () C:\Users\nate\Desktop\RKreport[0]_D_05282014_194223.txt

2014-05-28 19:37 - 2014-05-28 19:37 - 00022061 _____ () C:\Users\nate\Desktop\RKreport[0]_S_05282014_193704.txt

2014-05-28 02:00 - 2014-05-30 17:36 - 00000000 ____D () C:\Users\nate\AppData\Local\Adobe

2014-05-27 09:23 - 2014-05-30 16:56 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Omhoydfu

2014-05-27 09:19 - 2014-05-27 09:19 - 00000000 ____D () C:\Users\nate\AppData\Local\Skype

2014-05-27 09:18 - 2014-05-27 09:18 - 00002515 _____ () C:\Users\Public\Desktop\Skype.lnk

2014-05-27 09:18 - 2014-05-27 09:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype

2014-05-26 19:43 - 2014-05-26 19:43 - 00001997 _____ () C:\Users\Public\Desktop\Adobe Acrobat X Pro.lnk

2014-05-26 19:36 - 2014-05-26 19:36 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk

2014-05-26 19:36 - 2014-05-26 19:36 - 00001990 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk

2014-05-26 03:02 - 2014-05-26 03:02 - 01071792 _____ (Solid State Networks) C:\Users\nate\Downloads\Unconfirmed 713332.crdownload

2014-05-24 17:13 - 2014-06-14 15:43 - 00001723 _____ () C:\Users\nate\Desktop\Computer.lnk

2014-05-24 17:13 - 2014-06-14 15:43 - 00000288 _____ () C:\Users\nate\AppData\Roaming\537DD183.reg

2014-05-22 12:37 - 2014-05-22 12:40 - 00002430 _____ () C:\Users\nate\Desktop\Rkill.txt

2014-05-22 12:36 - 2014-05-22 12:36 - 00002884 _____ () C:\Users\nate\Desktop\RKreport[0]_D_05222014_123641.txt

2014-05-22 12:36 - 2014-05-22 12:36 - 00002849 _____ () C:\Users\nate\Desktop\RKreport[0]_S_05222014_123607.txt

==================== One Month Modified Files and Folders =======

2014-06-21 09:51 - 2014-06-21 09:50 - 00033266 _____ () C:\Users\nate\Downloads\FRST.txt

2014-06-21 09:51 - 2014-06-21 09:50 - 00000000 ____D () C:\FRST

2014-06-21 09:49 - 2011-08-10 12:39 - 01621778 _____ () C:\Windows\WindowsUpdate.log

2014-06-21 09:47 - 2014-06-21 09:47 - 02083328 _____ (Farbar) C:\Users\nate\Downloads\FRST64.exe

2014-06-21 09:46 - 2014-01-27 18:11 - 00000000 ____D () C:\Users\nate\AppData\Roaming\BitTorrent

2014-06-21 09:42 - 2011-10-05 18:34 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Spotify

2014-06-21 09:36 - 2012-09-24 22:38 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-06-21 09:34 - 2014-06-21 09:34 - 05209566 _____ (Swearware) C:\Users\nate\Downloads\ComboFix.exe

2014-06-21 09:31 - 2014-06-21 09:31 - 04485528 _____ (AVG Technologies) C:\Users\nate\Downloads\avg_isct_stb_all_2014_4577_cnet.exe

2014-06-21 09:29 - 2014-06-21 09:29 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\nate\Desktop\tdsskiller (1).exe

2014-06-21 09:28 - 2014-06-21 09:28 - 00000632 _____ () C:\Users\nate\Desktop\JRT.txt

2014-06-21 09:12 - 2014-05-08 12:55 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

2014-06-21 08:54 - 2012-01-09 22:42 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000UA.job

2014-06-21 08:53 - 2014-05-15 10:18 - 00000000 ____D () C:\Users\nate\AppData\Roaming\DropboxMaster

2014-06-21 08:53 - 2013-05-18 12:14 - 00000000 ____D () C:\Users\nate\AppData\Local\Spotify

2014-06-21 08:53 - 2012-10-15 12:16 - 00000000 ___RD () C:\Users\nate\Dropbox

2014-06-21 08:53 - 2012-10-15 12:13 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Dropbox

2014-06-21 08:51 - 2014-06-08 21:12 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-06-21 08:51 - 2012-09-24 22:38 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-06-21 07:06 - 2011-08-23 00:26 - 00000924 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000UA.job

2014-06-21 05:57 - 2009-07-13 21:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-06-21 05:57 - 2009-07-13 21:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-06-21 05:52 - 2014-06-21 05:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee

2014-06-21 05:50 - 2011-08-17 01:15 - 00000466 _____ () C:\Windows\Tasks\SystemToolsDailyTest.job

2014-06-21 05:50 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-06-21 05:50 - 2009-07-13 21:51 - 00074486 _____ () C:\Windows\setupact.log

2014-06-21 05:49 - 2011-08-17 01:18 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Adobe

2014-06-21 05:49 - 2010-11-21 00:16 - 00000000 ____D () C:\Windows\ShellNew

2014-06-21 05:49 - 2010-11-20 20:47 - 00301314 _____ () C:\Windows\PFRO.log

2014-06-21 05:21 - 2014-06-08 21:11 - 00000000 ____D () C:\Users\nate\Desktop\mbar

2014-06-21 04:50 - 2014-06-17 07:31 - 00128728 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-06-21 04:48 - 2014-06-08 21:11 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-06-20 23:26 - 2011-08-17 01:15 - 00003448 _____ () C:\Windows\System32\Tasks\PCDEventLauncher

2014-06-20 23:26 - 2011-08-10 12:57 - 00000000 ____D () C:\ProgramData\PCDr

2014-06-20 22:45 - 2014-03-28 12:29 - 00000000 ____D () C:\Users\nate\AppData\Local\Iqczsoft

2014-06-20 22:42 - 2012-01-09 22:42 - 00000852 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000Core.job

2014-06-20 22:42 - 2011-08-23 00:25 - 00000902 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000Core.job

2014-06-20 16:39 - 2014-06-20 16:39 - 03238523 _____ () C:\Users\nate\Downloads\Chinese Training Materials (2).pptx

2014-06-20 16:04 - 2011-11-11 20:12 - 00000000 ____D () C:\Users\nate\AppData\Local\PMB Files

2014-06-20 16:04 - 2011-11-11 20:12 - 00000000 ____D () C:\ProgramData\PMB Files

2014-06-20 16:00 - 2011-08-17 01:15 - 00003488 _____ () C:\Windows\System32\Tasks\SystemToolsDailyTest

2014-06-20 03:21 - 2014-06-19 23:46 - 00000000 ____D () C:\Windows\pss

2014-06-19 23:49 - 2014-06-19 23:49 - 00000000 ____D () C:\Windows\system32\%LOCALAPPDATA%

2014-06-19 23:35 - 2014-03-26 11:34 - 00000000 ____D () C:\Users\nate\Documents\Taiwan Missions

2014-06-19 00:21 - 2014-04-14 17:27 - 00000000 ____D () C:\Users\nate\AppData\Local\CrashDumps

2014-06-18 22:30 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\system

2014-06-18 12:40 - 2014-04-12 09:48 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt

2014-06-18 12:31 - 2012-09-24 22:38 - 00003890 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2014-06-18 12:31 - 2012-09-24 22:38 - 00003638 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2014-06-17 23:16 - 2012-09-24 22:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive

2014-06-17 07:30 - 2014-06-17 07:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-06-17 07:30 - 2014-06-17 07:30 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

2014-06-17 07:30 - 2014-03-18 22:09 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Malwarebytes

2014-06-17 07:30 - 2014-03-18 22:08 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-06-17 07:30 - 2014-03-18 22:08 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware

2014-06-17 06:32 - 2014-06-17 06:31 - 05268992 _____ () C:\Users\nate\Downloads\RogueKillerX64 (1).exe

2014-06-17 01:39 - 2014-06-13 16:54 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Sauvzyeb

2014-06-17 01:39 - 2011-08-28 22:32 - 00000000 ____D () C:\Windows\hpoj4500g510g-m

2014-06-16 21:49 - 2012-01-09 22:42 - 00003872 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000UA

2014-06-16 21:49 - 2012-01-09 22:42 - 00003476 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000Core

2014-06-14 15:43 - 2014-05-24 17:13 - 00001723 _____ () C:\Users\nate\Desktop\Computer.lnk

2014-06-14 15:43 - 2014-05-24 17:13 - 00000288 _____ () C:\Users\nate\AppData\Roaming\537DD183.reg

2014-06-14 01:41 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\rescache

2014-06-13 22:18 - 2012-01-09 22:44 - 00002374 _____ () C:\Users\nate\Desktop\Google Chrome.lnk

2014-06-13 21:48 - 2013-07-18 03:01 - 00000000 ____D () C:\Windows\system32\MRT

2014-06-13 21:42 - 2014-06-09 10:35 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Uwnoafxa

2014-06-13 21:37 - 2014-06-13 21:37 - 00011657 _____ () C:\Users\nate\Documents\missions team contact.xlsx

2014-06-12 03:08 - 2011-08-27 10:49 - 95414520 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2014-06-12 03:06 - 2012-01-12 20:57 - 00000000 ____D () C:\ProgramData\Microsoft Help

2014-06-12 03:04 - 2014-05-09 03:20 - 00000000 ___SD () C:\Windows\system32\CompatTel

2014-06-11 17:51 - 2014-06-11 17:51 - 03238523 _____ () C:\Users\nate\Downloads\Chinese Training Materials (1).pptx

2014-06-11 17:50 - 2014-06-11 17:50 - 03238523 _____ () C:\Users\nate\Downloads\Chinese Training Materials.pptx

2014-06-08 21:35 - 2014-06-05 10:27 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Voywgusi

2014-06-08 21:11 - 2014-06-08 21:10 - 14349744 _____ (Malwarebytes Corp.) C:\Users\nate\Downloads\mbar-1.07.0.1012.exe

2014-06-08 21:06 - 2014-06-08 21:06 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\nate\Downloads\tdsskiller.exe

2014-06-08 02:13 - 2014-06-11 08:55 - 00506368 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll

2014-06-08 02:08 - 2014-06-11 08:55 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

2014-06-06 22:21 - 2012-10-10 07:04 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Mozilla

2014-06-06 09:33 - 2014-06-06 09:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes

2014-06-06 09:33 - 2014-06-06 09:32 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2014-06-06 09:33 - 2014-06-06 09:32 - 00000000 ____D () C:\Program Files\iTunes

2014-06-06 09:33 - 2014-06-06 09:32 - 00000000 ____D () C:\Program Files (x86)\iTunes

2014-06-06 09:32 - 2014-06-06 09:32 - 00000000 ____D () C:\Program Files\iPod

2014-06-06 08:23 - 2014-06-06 08:22 - 05245952 _____ () C:\Users\nate\Downloads\RogueKillerX64.exe

2014-06-02 19:22 - 2014-03-18 20:51 - 00000000 ____D () C:\AdwCleaner

2014-06-02 14:12 - 2014-06-01 01:44 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Ydabbic

2014-06-01 00:58 - 2011-08-20 00:38 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Skype

2014-05-31 00:16 - 2014-05-31 00:15 - 01016261 _____ (Thisisu) C:\Users\nate\Downloads\JRT.exe

2014-05-31 00:13 - 2014-05-31 00:13 - 01327971 _____ () C:\Users\nate\Downloads\adwcleaner_3.211.exe

2014-05-31 00:11 - 2014-05-31 00:11 - 00000000 ____D () C:\ProgramData\RogueKiller

2014-05-30 23:51 - 2014-05-30 23:49 - 10971424 _____ (SurfRight B.V.) C:\Users\nate\Downloads\HitmanPro_x64.exe

2014-05-30 17:36 - 2014-05-28 02:00 - 00000000 ____D () C:\Users\nate\AppData\Local\Adobe

2014-05-30 17:06 - 2012-10-15 12:16 - 00001025 _____ () C:\Users\nate\Desktop\Dropbox.lnk

2014-05-30 17:06 - 2012-10-15 12:15 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox

2014-05-30 17:00 - 2011-08-17 01:15 - 00000528 _____ () C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job

2014-05-30 16:56 - 2014-05-27 09:23 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Omhoydfu

2014-05-30 15:44 - 2013-02-07 09:42 - 00000000 ____D () C:\Users\nate\Documents\Church

2014-05-30 03:21 - 2014-06-11 08:56 - 23414784 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-05-30 03:02 - 2014-06-11 08:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-05-30 03:02 - 2014-06-11 08:56 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll

2014-05-30 02:45 - 2014-06-11 08:56 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2014-05-30 02:39 - 2014-06-11 08:56 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2014-05-30 02:39 - 2014-06-11 08:56 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll

2014-05-30 02:38 - 2014-06-11 08:56 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll

2014-05-30 02:28 - 2014-06-11 08:56 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2014-05-30 02:27 - 2014-06-11 08:56 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll

2014-05-30 02:24 - 2014-06-11 08:56 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2014-05-30 02:21 - 2014-06-11 08:56 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

2014-05-30 02:21 - 2014-06-11 08:56 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe

2014-05-30 02:20 - 2014-06-11 08:56 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll

2014-05-30 02:18 - 2014-06-11 08:56 - 17271296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2014-05-30 02:11 - 2014-06-11 08:56 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe

2014-05-30 02:08 - 2014-06-11 08:56 - 05782528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2014-05-30 02:06 - 2014-06-11 08:56 - 00452096 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll

2014-05-30 02:02 - 2014-06-11 08:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2014-05-30 01:55 - 2014-06-11 08:56 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll

2014-05-30 01:49 - 2014-06-11 08:56 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll

2014-05-30 01:46 - 2014-06-11 08:56 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2014-05-30 01:44 - 2014-06-11 08:56 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2014-05-30 01:44 - 2014-06-11 08:56 - 00295424 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2014-05-30 01:43 - 2014-06-11 08:56 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2014-05-30 01:42 - 2014-06-11 08:56 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll

2014-05-30 01:38 - 2014-06-11 08:56 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2014-05-30 01:35 - 2014-06-11 08:56 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe

2014-05-30 01:34 - 2014-06-11 08:56 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2014-05-30 01:33 - 2014-06-11 08:56 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2014-05-30 01:30 - 2014-06-11 08:56 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2014-05-30 01:29 - 2014-06-11 08:56 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2014-05-30 01:28 - 2014-06-11 08:56 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2014-05-30 01:27 - 2014-06-11 08:56 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll

2014-05-30 01:24 - 2014-06-11 08:56 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll

2014-05-30 01:23 - 2014-06-11 08:56 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2014-05-30 01:16 - 2014-06-11 08:56 - 00368128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll

2014-05-30 01:10 - 2014-06-11 08:56 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll

2014-05-30 01:06 - 2014-06-11 08:56 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll

2014-05-30 01:04 - 2014-06-11 08:56 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2014-05-30 01:02 - 2014-06-11 08:56 - 00242688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll

2014-05-30 00:56 - 2014-06-11 08:56 - 04244992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2014-05-30 00:56 - 2014-06-11 08:56 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2014-05-30 00:54 - 2014-06-11 08:56 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2014-05-30 00:50 - 2014-06-11 08:56 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll

2014-05-30 00:49 - 2014-06-11 08:56 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2014-05-30 00:43 - 2014-06-11 08:56 - 13522944 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2014-05-30 00:40 - 2014-06-11 08:56 - 11725312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2014-05-30 00:30 - 2014-06-11 08:56 - 01398272 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2014-05-30 00:21 - 2014-06-11 08:56 - 01790976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2014-05-30 00:15 - 2014-06-11 08:56 - 01143296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2014-05-30 00:13 - 2014-06-11 08:56 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

2014-05-30 00:13 - 2014-06-11 08:56 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

2014-05-29 17:20 - 2011-08-17 01:15 - 00004228 _____ () C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask

2014-05-28 19:42 - 2014-05-28 19:42 - 00022209 _____ () C:\Users\nate\Desktop\RKreport[0]_D_05282014_194223.txt

2014-05-28 19:42 - 2014-05-07 16:05 - 00000000 ____D () C:\Users\nate\Desktop\RK_Quarantine

2014-05-28 19:37 - 2014-05-28 19:37 - 00022061 _____ () C:\Users\nate\Desktop\RKreport[0]_S_05282014_193704.txt

2014-05-27 14:13 - 2014-05-08 12:55 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2014-05-27 14:13 - 2014-05-08 12:55 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2014-05-27 14:13 - 2014-05-08 12:55 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater

2014-05-27 09:19 - 2014-05-27 09:19 - 00000000 ____D () C:\Users\nate\AppData\Local\Skype

2014-05-27 09:18 - 2014-05-27 09:18 - 00002515 _____ () C:\Users\Public\Desktop\Skype.lnk

2014-05-27 09:18 - 2014-05-27 09:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype

2014-05-27 09:18 - 2011-08-20 00:38 - 00000000 ___RD () C:\Program Files (x86)\Skype

2014-05-27 09:18 - 2011-08-20 00:38 - 00000000 ____D () C:\ProgramData\Skype

2014-05-26 19:43 - 2014-05-26 19:43 - 00001997 _____ () C:\Users\Public\Desktop\Adobe Acrobat X Pro.lnk

2014-05-26 19:43 - 2011-09-06 14:36 - 00002465 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller X.lnk

2014-05-26 19:43 - 2011-09-06 14:36 - 00002453 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat X Pro.lnk

2014-05-26 19:43 - 2011-09-06 14:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe LiveCycle ES2

2014-05-26 19:36 - 2014-05-26 19:36 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk

2014-05-26 19:36 - 2014-05-26 19:36 - 00001990 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk

2014-05-26 19:36 - 2011-08-10 12:51 - 00000000 ____D () C:\ProgramData\Adobe

2014-05-26 19:36 - 2011-08-10 12:51 - 00000000 ____D () C:\Program Files (x86)\Adobe

2014-05-26 03:02 - 2014-05-26 03:02 - 01071792 _____ (Solid State Networks) C:\Users\nate\Downloads\Unconfirmed 713332.crdownload

2014-05-23 12:13 - 2014-03-10 15:30 - 00000000 ____D () C:\Users\nate\AppData\Local\Windows Live

2014-05-22 22:20 - 2009-07-13 22:32 - 00000000 ____D () C:\Windows\system32\FxsTmp

2014-05-22 22:13 - 2014-05-15 11:35 - 00000000 ____D () C:\Users\nate\AppData\Roaming\Tireawv

2014-05-22 12:40 - 2014-05-22 12:37 - 00002430 _____ () C:\Users\nate\Desktop\Rkill.txt

2014-05-22 12:36 - 2014-05-22 12:36 - 00002884 _____ () C:\Users\nate\Desktop\RKreport[0]_D_05222014_123641.txt

2014-05-22 12:36 - 2014-05-22 12:36 - 00002849 _____ () C:\Users\nate\Desktop\RKreport[0]_S_05222014_123607.txt

Some content of TEMP:

====================

C:\Users\nate\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpjhnmr6.dll

C:\Users\nate\AppData\Local\Temp\ntdll_dump.dll

C:\Users\nate\AppData\Local\Temp\SE8295.tmp.dll

C:\Users\nate\AppData\Local\Temp\SE97B6.tmp.dll

C:\Users\nate\AppData\Local\Temp\SECAB6.tmp.dll

C:\Users\nate\AppData\Local\Temp\SEDED3.tmp.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-06-20 03:52

==================== End Of Log ============================

Post was too long, so addition.txt is on next post.

Finally, I've tried several virus cleaners/malware cleaners including malwarebytes. Most of the time, it would help a little and fix the issue for a short amount of time, but it keeps coming back.

Thanks in advance for any help (:

nlu122 · June 21, 2014

And here's the addition.txt scan

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21-06-2014 01

Ran by nate at 2014-06-21 09:51:56

Running from C:\Users\nate\Downloads

Boot Mode: Normal

==========================================================

==================== Security Center ========================

AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {86355677-4064-3EA7-ABB3-1B136EB04637}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Firewall (Enabled) {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

==================== Installed Programs ======================

4500_G510gm_Help (x32 Version: 000.0.439.000 - Hewlett-Packard) Hidden

4500G510gm (x32 Version: 000.0.423.000 - Hewlett-Packard) Hidden

4500G510gm_Software_Min (x32 Version: 000.0.423.000 - Hewlett-Packard) Hidden

64 Bit HP CIO Components Installer (Version: 7.2.8 - Hewlett-Packard) Hidden

Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.10 - Adobe Systems)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.5.0.600 - Adobe Systems Incorporated)

Adobe AIR (x32 Version: 3.5.0.600 - Adobe Systems Incorporated) Hidden

Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.4.980 - Adobe Systems Incorporated.)

Adobe Community Help (x32 Version: 3.4.980 - Adobe Systems Incorporated.) Hidden

Adobe Content Viewer (HKLM-x32\...\com.adobe.dmp.contentviewer) (Version: 1.4.0 - Adobe Systems Incorporated)

Adobe Content Viewer (x32 Version: 1.4.0 - Adobe Systems Incorporated) Hidden

Adobe Creative Suite 5.5 Design Premium (HKLM-x32\...\{60E59A6C-7399-495A-B85C-C829F4E59602}) (Version: 5.5 - Adobe Systems Incorporated)

Adobe Download Assistant (HKLM-x32\...\com.adobe.downloadassistant.AdobeDownloadAssistant) (Version: 1.0.3 - Adobe Systems Incorporated)

Adobe Download Assistant (x32 Version: 1.0.3 - Adobe Systems Incorporated) Hidden

Adobe Flash Player 13 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 13.0.0.214 - Adobe Systems Incorporated)

Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)

Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.3.633 - Adobe Systems, Inc.)

Adobe Widget Browser (HKLM-x32\...\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1) (Version: 2.0 Build 230 - Adobe Systems Incorporated.)

Adobe Widget Browser (x32 Version: 2.0.230 - Adobe Systems Incorporated.) Hidden

Amazon MP3 Downloader 1.0.17 (HKLM-x32\...\Amazon MP3 Downloader) (Version: 1.0.17 - Amazon Services LLC)

Apple Application Support (HKLM-x32\...\{D9DAD0FF-495A-472B-9F10-BAE430A26682}) (Version: 3.0.3 - Apple Inc.)

Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)

Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)

Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)

BufferChm (x32 Version: 130.0.331.000 - Hewlett-Packard) Hidden

Burn.Now 4.5 (x32 Version: 4.5.0 - Corel Corporation) Hidden

Canon Camera Access Library (HKLM-x32\...\CAL) (Version: 8.2.0.1 - )

Canon Camera Window DC_DV 6 for ZoomBrowser EX (HKLM-x32\...\CameraWindowDVC6) (Version: 6.3.0.11 - )

Canon Camera Window MC 6 for ZoomBrowser EX (HKLM-x32\...\CameraWindowMC) (Version: 6.2.0.11 - )

Canon G.726 WMP-Decoder (HKLM-x32\...\Canon G.726 WMP-Decoder) (Version: 1.0.1.3 - )

Canon MovieEdit Task for ZoomBrowser EX (HKLM-x32\...\MovieEditTask) (Version: 2.3.0.19 - )

Canon RAW Image Task for ZoomBrowser EX (HKLM-x32\...\RAW Image Task) (Version: 2.4.0.7 - )

Canon RemoteCapture Task for ZoomBrowser EX (HKLM-x32\...\RemoteCaptureTask) (Version: 1.6.0.9 - )

Canon Utilities EOS Utility (HKLM-x32\...\EOS Utility) (Version: 1.0.4.18 - )

Canon Utilities PhotoStitch (HKLM-x32\...\PhotoStitch) (Version: 3.1.18.42 - )

Canon Utilities ZoomBrowser EX (HKLM-x32\...\ZoomBrowser EX) (Version: 5.7.0.74 - )

Causality Lab 4.3 (HKCU\...\Causality Lab 4.3) (Version: - LSEC, Philosophy Dept, Carnegie Mellon)

CBR Reader (HKLM-x32\...\{EDAAC216-AC73-4152-9654-E12FE5A69F5D}_is1) (Version: - cbrreader.com)

Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)

Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)

Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)

Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)

Conexant 20672 SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.32.23.0 - Conexant)

Corel Burn.Now Lenovo Edition (HKLM-x32\...\InstallShield_{A3BE3F1E-2472-4211-8735-E8239BE49D9F}) (Version: 4.5.0 - Corel Corporation)

Corel DVD MovieFactory 7 (x32 Version: 7.0.0 - Corel Corporation) Hidden

Corel DVD MovieFactory Lenovo Edition (HKLM-x32\...\InstallShield_{50F68032-B5B7-4513-9116-C978DBD8F27A}) (Version: 7.0.0 - Corel Corporation)

Corel WinDVD (HKLM-x32\...\{5C1F18D2-F6B7-4242-B803-B5A78648185D}) (Version: 10.0.5.890 - Corel Inc.)

Create Recovery Media (HKLM-x32\...\{50DC5136-21E8-48BC-97E5-1AD055F6B0B6}) (Version: 1.20.0.00 - Lenovo Group Limited)

Cyberduck 13577 (4.4) (HKLM-x32\...\Cyberduck) (Version: 13577 (4.4) - )

D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{CA75CBF9-B078-47CB-ABA3-74EFD4FC9A43}) (Version: - Microsoft)

Destinations (x32 Version: 130.0.0.0 - Hewlett-Packard) Hidden

DeviceDiscovery (x32 Version: 130.0.372.000 - Hewlett-Packard) Hidden

Direct DiscRecorder (x32 Version: 1.00.0000 - Corel Corporation) Hidden

DocMgr (x32 Version: 130.0.000.000 - Hewlett-Packard) Hidden

DocProc (x32 Version: 13.0.0.0 - Hewlett-Packard) Hidden

Dropbox (HKCU\...\Dropbox) (Version: 2.8.2 - Dropbox, Inc.)

Equalify v2.2.1 (Stable) (HKLM-x32\...\{FF890228-5396-4BB0-B500-6E2843D7DD63}) (Version: 2.2.1.0 - Equalify)

Facebook Video Calling 1.2.0.159 (HKLM-x32\...\{7CAC6A44-C3DE-4153-ACA6-7524602C789E}) (Version: 1.2.159 - Skype Limited)

Fax (x32 Version: 130.0.418.000 - Hewlett-Packard) Hidden

GameFly (HKLM-x32\...\GameFly) (Version: 1.2.106 - GameFly, Inc.)

GameFly (x32 Version: 1.2.106 - GameFly, Inc.) Hidden

Google Chrome (HKCU\...\Google Chrome) (Version: 35.0.1916.153 - Google Inc.)

Google Drive (HKLM-x32\...\{D9F75285-4864-461D-83DA-8D056BAC44D1}) (Version: 1.16.6866.4367 - Google, Inc.)

Google Talk Plugin (HKLM-x32\...\{C1E3DFE7-4EAD-3E9E-A826-E06055BA5921}) (Version: 5.4.2.18903 - Google)

Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden

GPBaseService2 (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden

Hewlett-Packard ACLM.NET v1.1.0.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden

HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.216 - SurfRight B.V.)

HP Customer Participation Program 13.0 (HKLM\...\HPExtendedCapabilities) (Version: 13.0 - HP)

HP Document Manager 2.0 (HKLM\...\HP Document Manager) (Version: 2.0 - HP)

HP Imaging Device Functions 13.0 (HKLM\...\HP Imaging Device Functions) (Version: 13.0 - HP)

HP Officejet 4500 G510g-m (HKLM\...\{E5083D57-D93F-404C-A91F-1C50D67C2BEB}) (Version: 13.0 - HP)

HP Product Detection (HKLM-x32\...\{A436F67F-687E-4736-BD2B-537121A804CF}) (Version: 11.14.0001 - HP)

HP Smart Web Printing 4.5 (HKLM\...\HP Smart Web Printing) (Version: 4.5 - HP)

HP Solution Center 13.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 13.0 - HP)

HP Update (HKLM-x32\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)

HPProductAssistant (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden

HPSSupply (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden

Integrated Camera Driver Installer Package Ver.1.1.0.1147 (HKLM-x32\...\{B2CA6F37-1602-4823-81B5-0384B6888AA6}) (Version: 1.1.0.1147 - RICOH)

Integrated Camera TWAIN (HKLM-x32\...\{9CA0DEE4-E84B-466F-9B96-FC255F3A929F}) (Version: 1.0.11.1223 - Chicony Electronics Co.,Ltd.)

Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)

Intel® Identity Protection Technology 1.1.2.0 (HKLM-x32\...\{C01A86F5-56E7-101F-9BC9-E3F1025EB779}) (Version: 1.1.2.0 - Intel Corporation)

Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2321 - Intel Corporation)

iTunes (HKLM\...\{5A68A656-979F-4168-8795-E2E368AA4DC2}) (Version: 11.2.2.3 - Apple Inc.)

Java 7 Update 55 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217055FF}) (Version: 7.0.550 - Oracle)

Java Auto Updater (x32 Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden

Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

League of Legends (HKLM-x32\...\{92606477-9366-4D3B-8AE3-6BE4B29727AB}) (Version: 1.3 - Riot Games)

Lenovo Auto Scroll Utility (HKLM\...\LenovoAutoScrollUtility) (Version: 1.00 - )

Lenovo Registration (HKLM-x32\...\{6707C034-ED6B-4B6A-B21F-969B3606FBDE}) (Version: 1.0.2 - Lenovo Inc.)

Lenovo SimpleTap (HKLM\...\{CFD2C9F6-AE2F-4422-A7E9-182B47F1E72E}) (Version: 1.3.0005.00 - Lenovo Group Limited)

Lenovo System Interface Driver (HKLM\...\LENOVO.SMIIF) (Version: 1.05 - )

Lenovo ThinkVantage Toolbox (HKLM\...\PC-Doctor for Windows) (Version: 6.0.5849.23 - PC-Doctor, Inc.)

Lenovo User Guide (HKLM-x32\...\{13F59938-C595-479C-B479-F171AB9AF64F}) (Version: 1.0.0008.00 - Lenovo)

Lenovo Warranty Information (HKLM-x32\...\{FD4EC278-C1B1-4496-99ED-C0BE1B0AA521}) (Version: 1.0.0005.00 - Lenovo)

Lenovo Welcome (HKLM-x32\...\Lenovo Welcome_is1) (Version: 2.02.003.0 - Lenovo)

Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)

MarketResearch (x32 Version: 130.0.374.000 - Hewlett-Packard) Hidden

McAfee SecurityCenter (HKLM-x32\...\MSC) (Version: 11.0.572 - McAfee, Inc.)

Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden

Message Center Plus (HKLM-x32\...\{FD331A3B-F7A5-4C31-B8D4-DF413C85AF7A}) (Version: 2.0.0012.00 - Lenovo Group Limited)

Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)

Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden

Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden

Microsoft IntelliPoint 8.2 (HKLM\...\Microsoft IntelliPoint 8.2) (Version: 8.20.468.0 - Microsoft Corporation)

Microsoft IntelliPoint 8.2 (Version: 8.20.468.0 - Microsoft Corporation) Hidden

Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)

Microsoft Office Groove MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office InfoPath MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)

Microsoft Office Professional Plus 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)

Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)

Microsoft_VC80_ATL_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden

Microsoft_VC80_ATL_x86_x64 (Version: 8.0.50727.4053 - Adobe) Hidden

Microsoft_VC80_CRT_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden

Microsoft_VC80_CRT_x86_x64 (Version: 8.0.50727.4053 - Adobe) Hidden

Microsoft_VC80_MFC_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden

Microsoft_VC80_MFC_x86_x64 (Version: 8.0.50727.4053 - Adobe) Hidden

Microsoft_VC80_MFCLOC_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden

Microsoft_VC80_MFCLOC_x86_x64 (Version: 80.50727.4053 - Adobe) Hidden

Microsoft_VC90_ATL_x86 (x32 Version: 1.00.0000 - Adobe) Hidden

Microsoft_VC90_ATL_x86_x64 (Version: 1.00.0000 - Adobe) Hidden

Microsoft_VC90_CRT_x86 (x32 Version: 1.00.0000 - Adobe) Hidden

Microsoft_VC90_CRT_x86_x64 (Version: 1.00.0000 - Adobe) Hidden

Microsoft_VC90_MFC_x86 (x32 Version: 1.00.0000 - Adobe) Hidden

Microsoft_VC90_MFC_x86_x64 (Version: 1.00.0000 - Adobe) Hidden

Microsoft_VC90_MFCLOC_x86 (x32 Version: 1.00.0000 - Adobe) Hidden

Microsoft_VC90_MFCLOC_x86_x64 (Version: 1.00.0000 - Adobe) Hidden

Mozilla Firefox 29.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 29.0.1 (x86 en-US)) (Version: 29.0.1 - Mozilla)

Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)

MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden

MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden

MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)

MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)

MuseScore 1.3 (HKLM-x32\...\MuseScore) (Version: 1.3.0 - Werner Schweer and Others)

Network64 (Version: 130.0.374.000 - Hewlett-Packard) Hidden

Network64 (Version: 140.0.221.000 - Hewlett-Packard) Hidden

NoteWorthy Composer (HKLM-x32\...\NoteWorthy Composer) (Version: - )

NoteWorthy Composer 2 (HKLM-x32\...\NoteWorthy Composer 2) (Version: Demo Version 2.0 - Noteworthy Software, Inc.)

OCR Software by I.R.I.S. 13.0 (HKLM\...\HPOCR) (Version: 13.0 - HP)

On Screen Display (HKLM\...\OnScreenDisplay) (Version: 6.22.00 - )

Pando Media Booster (HKLM-x32\...\{980A182F-E0A2-4A40-94C1-AE0C1235902E}) (Version: 2.3.6.0 - Pando Networks Inc.)

PDF Settings CS5 (x32 Version: 10.0 - Adobe Systems Incorporated) Hidden

Plants vs. Zombies (HKLM-x32\...\Plants vs. Zombies) (Version: - PopCap Games)

Python 2.5.4 (HKLM-x32\...\{2E0DFC24-7C4B-4DCF-BCC7-81C513BED3BC}) (Version: 2.5.4150 - Python Software Foundation)

QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)

RapidBoot (HKLM-x32\...\InstallShield_{C83D5AA1-6A1F-4102-8F7F-C0230DD31FC0}) (Version: 1.00 - Lenovo)

RapidBoot (x32 Version: 1.00 - Lenovo) Hidden

Registry Patch to Enable Maximum Power Saving on WiFi Adapters for Windows 7 (HKLM\...\EnablePS) (Version: 1.00 - )

RICOH_Media_Driver_v2.13.18.02 (HKLM-x32\...\{FE041B02-234C-4AAA-9511-80DF6482A458}) (Version: 2.13.18.02 - RICOH)

Scan (x32 Version: 13.0.0.0 - Hewlett-Packard) Hidden

Secure Download Manager (HKLM-x32\...\{C28422FB-F2CD-427A-ADED-9F281745CDB2}) (Version: 3.0.3 - e-academy Inc.)

Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)

Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32 Version: - Microsoft) Hidden

Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 13.0 - HP)

Skype Click to Call (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 5.9.9216 - Skype Technologies S.A.)

Skype™ 6.16 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.16.105 - Skype Technologies S.A.)

SmartWebPrinting (x32 Version: 130.0.373.000 - Hewlett-Packard) Hidden

SolutionCenter (x32 Version: 130.0.373.000 - Hewlett-Packard) Hidden

Spotify (HKCU\...\Spotify) (Version: 0.9.10.14.g578d350b - Spotify AB)

Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)

Star Wars: The Old Republic (HKLM-x32\...\{3B11D799-48E0-48ED-BFD7-EA655676D8BB}) (Version: 1.00 - Electronic Arts, Inc.)

Starcraft (HKLM-x32\...\Starcraft) (Version: - )

StarCraft II (HKLM-x32\...\StarCraft II) (Version: 2.0.7.25293 - Blizzard Entertainment)

Stata 12 (HKLM-x32\...\{5006A0E8-B9B0-48DF-981A-41D005B3E937}) (Version: 12.0 - StataCorp LP)

Status (x32 Version: 130.0.373.000 - Hewlett-Packard) Hidden

swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden

System Update (HKLM-x32\...\{25C64847-B900-48AD-A164-1B4F9B774650}) (Version: 4.00.0042 - Lenovo)

ThinkPad FullScreen Magnifier (HKLM\...\ThinkPad FullScreen Magnifier) (Version: 2.22 - )

ThinkPad Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.61.00.11 - )

ThinkPad Power Manager (HKLM-x32\...\{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}) (Version: 3.48 - )

ThinkPad UltraNav Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.5.0 - )

ThinkPad UltraNav Utility (HKLM-x32\...\{17CBC505-D1AE-459D-B445-3D2000A85842}) (Version: 2.13.0 - Lenovo)

ThinkPad Wireless LAN Adapter Software (HKLM-x32\...\{9D3D2C60-A55F-4fed-B2B9-17311226DF01}) (Version: 1.00.0029.5 - REALTEK Semiconductor Corp.)

ThinkVantage Active Protection System (HKLM\...\{46A84694-59EC-48F0-964C-7E76E9F8A2ED}) (Version: 1.73 - Lenovo)

ThinkVantage AutoLock (HKLM\...\{E224B44B-B5EB-4af3-A80A-A255358E241A}_is1) (Version: 1.01 - Lenovo)

ThinkVantage Communications Utility (HKLM\...\{88C6A6D9-324C-46E8-BA87-563D14021442}_is1) (Version: 2.06 - Lenovo)

Toolbox (x32 Version: 130.0.648.000 - Hewlett-Packard) Hidden

TrayApp (x32 Version: 130.0.376.000 - Hewlett-Packard) Hidden

Unity Web Player (HKCU\...\UnityWebPlayer) (Version: - Unity Technologies ApS)

Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version: - Microsoft)

Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{302A8FE3-EBF5-486C-A431-16A1CD914443}) (Version: - Microsoft)

Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{302A8FE3-EBF5-486C-A431-16A1CD914443}) (Version: - Microsoft)

Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version: - Microsoft)

Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{39767ECA-1731-45DB-AB5B-6BF40E151D66}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{F1A20C69-9FE5-40FD-9CD5-84EABC2EF64A}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{BA610006-2C39-4419-9834-CF61AB24810A}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{82F87E28-B18E-46D6-A399-E2F19CF5949B}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUSR_{5E8EB600-8B94-429E-873E-98369C6DC1BC}) (Version: - Microsoft)

Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{EFF5EBA3-40AD-4859-85E7-3C1CF4F297EB}) (Version: - Microsoft)

Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)

Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)

Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version: - Microsoft)

Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version: - Microsoft)

Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM-x32\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{334AA0A1-2BB1-4D74-B66A-2B2C4D9C2C87}) (Version: - Microsoft)

Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{2BA40F82-F3A4-441C-BF1A-ED4C42FF4872}) (Version: - Microsoft)

Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version: - Microsoft)

Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version: - Microsoft)

Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{7B29D8B8-6A87-496C-A65E-B935E740448A}) (Version: - Microsoft)

Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{38CF30E4-3348-4BD1-A859-B630C355A56F}) (Version: - Microsoft)

Update for Microsoft Word 2010 (KB2880529) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{B9B89E01-5B6B-4F73-BC34-B2C0D8ACB4CD}) (Version: - Microsoft)

VIP Access (HKLM-x32\...\{E8D46836-CD55-453C-A107-A59EC51CB8DC}) (Version: 2.0.2.141 - VeriSign)

WebReg (x32 Version: 130.0.132.017 - Hewlett-Packard) Hidden

Windows Driver Package - Intel (e1cexpress) Net (12/21/2010 11.8.84.0) (HKLM\...\6D23A494E9A245843FB8584D9307D3E328DF8613) (Version: 12/21/2010 11.8.84.0 - Intel)

Windows Driver Package - Intel (MEIx64) System (10/19/2010 7.0.0.1144) (HKLM\...\90FD26A77B849AE03FF5F07A1CDA7F950406A8D8) (Version: 10/19/2010 7.0.0.1144 - Intel)

Windows Driver Package - Intel System (09/10/2010 9.2.0.1011) (HKLM\...\0CDBDD444A1F5FFEA227B4E7DCE195F11F08240A) (Version: 09/10/2010 9.2.0.1011 - Intel)

Windows Driver Package - Intel System (09/10/2010 9.2.0.1011) (HKLM\...\A513FC5E5A08D4EF27F234E91E0E942A0234210B) (Version: 09/10/2010 9.2.0.1011 - Intel)

Windows Driver Package - Intel System (10/04/2010 9.2.0.1015) (HKLM\...\FE1BEBFD475BB832AAF104F5C63348E98A9286DF) (Version: 10/04/2010 9.2.0.1015 - Intel)

Windows Driver Package - Intel USB (09/16/2010 9.2.0.1013) (HKLM\...\D97688B8E3830BF9820E15EB8D9552DCBF988CFD) (Version: 09/16/2010 9.2.0.1013 - Intel)

Windows Driver Package - Lenovo 1.61.00.11 (11/11/2010 1.61.00.11) (HKLM\...\466E9B20D871055D6D3CDA2CDD1D355E978A61AF) (Version: 11/11/2010 1.61.00.11 - Lenovo)

Windows Driver Package - Ricoh Company SD Host Controller (03/23/2011 6.10.10.30) (HKLM\...\4534F449D55EE49DEE206B3D9A3B1811E1A495EA) (Version: 03/23/2011 6.10.10.30 - Ricoh Company)

Windows Driver Package - Synaptics (SynTP) Mouse (03/24/2011 15.2.19.0) (HKLM\...\5DF942712DC7660AE4A1B04809A1C3F67B0CA27C) (Version: 03/24/2011 15.2.19.0 - Synaptics)

Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)

Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden

Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live Language Selector (Version: 15.4.3508.1109 - Microsoft Corporation) Hidden

Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live Mesh (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)

Windows Live Messenger (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden

Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden

Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden

Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden

Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden

Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden

Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

WinRAR 4.11 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 4.11.0 - win.rar GmbH)

WinRAR 4.11 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.11.0 - win.rar GmbH)

==================== Restore Points =========================

17-06-2014 08:34:07 Malwarebytes Anti-Rootkit Restore Point

21-06-2014 12:20:29 Malwarebytes Anti-Rootkit Restore Point

==================== Hosts content: ==========================

2009-07-13 19:34 - 2014-06-18 12:40 - 00001691 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 localhost

173.212.223.247 www.google-analytics.com.

173.212.223.247 google-analytics.com.

173.212.223.247 connect.facebook.net.

173.212.223.247 bing.com.

173.212.223.247 www.bing.com.

173.212.223.247 gb.bing.com.

173.212.223.247 au.bing.com.

173.212.223.247 ca.bing.com.

94.242.222.115 www.google-analytics.com.

94.242.222.115 google-analytics.com.

94.242.222.115 connect.facebook.net.

94.242.222.115 bing.com.

94.242.222.115 www.bing.com.

94.242.222.115 gb.bing.com.

94.242.222.115 au.bing.com.

94.242.222.115 ca.bing.com.

==================== Scheduled Tasks (whitelisted) =============

Task: {02EB5921-AE84-49B2-A1A0-5C2FA2116FAC} - System32\Tasks\{255EC46E-C784-4F75-9E1C-8D71F2B73AD2} => Chrome.exe http://ui.skype.com/ui/0/5.0.0.152.375/en/go/help.faq.installer?LastError=1603

Task: {06AF49E5-B89B-434D-8564-E1BAA7037751} - \Express FilesUpdate No Task File <==== ATTENTION

Task: {11682873-4309-44CA-9C33-6FDDCE27E554} - System32\Tasks\MCP => C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe [2009-05-27] ()

Task: {22387049-B50C-49AD-AAE1-E3CBB4821D5C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-09-24] (Google Inc.)

Task: {33C358FD-E07C-4184-A47E-5AB367D270EE} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000Core => C:\Users\nate\AppData\Local\Facebook\Update\FacebookUpdate.exe

Task: {3CCDD310-FCC6-453B-AF52-CAF52ED3C60E} - System32\Tasks\DiskUpdate => C:\SWTOOLS\OSFIXES\DISKUPDT\DiskUpdate.exe [2009-02-09] ()

Task: {5272CEBC-8E8C-4139-ADF5-9E81DE648454} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-09-24] (Google Inc.)

Task: {5EF996A6-52D5-4A00-A013-CDB69EAD49E3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000Core => C:\Users\nate\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-09] (Google Inc.)

Task: {693D5AC6-A509-49B0-A204-BAF5D5102815} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => c:\Program Files\Microsoft IntelliPoint\IPoint.exe [2011-08-01] (Microsoft Corporation)

Task: {720D3AC0-8456-4BC6-8911-432BB18BFB2E} - System32\Tasks\PCDEventLauncher => C:\Program Files\PC-Doctor\sessionchecker.exe [2011-06-27] (PC-Doctor, Inc.)

Task: {7A9E24CF-01CD-4501-B1FC-CE68FE1B84CC} - System32\Tasks\AdobeAAMUpdater-1.0-Nathans-nate => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2011-03-30] (Adobe Systems Incorporated)

Task: {92D36BBD-0D97-46FB-8722-19288C2AC15F} - System32\Tasks\Lenovo\SimpleTap Watermark Launcher => C:\Program Files\lenovo\simpletap\simpletap.exe [2011-02-08] (Lenovo)

Task: {A3B600E7-572D-4404-A9A3-3BF7C06A562C} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\PC-Doctor\uaclauncher.exe [2011-06-27] (PC-Doctor, Inc.)

Task: {A93EE7BE-35C7-4C89-95A1-2BB392F6E758} - System32\Tasks\SystemToolsDailyTest => C:\Program Files\PC-Doctor\uaclauncher.exe [2011-06-27] (PC-Doctor, Inc.)

Task: {B8D18F58-93C2-49FB-BBB1-FA318FA1BC08} - System32\Tasks\PMTask => C:\Program Files (x86)\ThinkPad\Utilities\PWMIDTSV.EXE [2011-03-23] (Lenovo Group Limited)

Task: {C4D8EADC-D433-4207-9FAF-96CE7C25CA2B} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000UA => C:\Users\nate\AppData\Local\Facebook\Update\FacebookUpdate.exe

Task: {EF31D78A-C291-4B6D-828F-DA9CA05EF32B} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-05-27] (Adobe Systems Incorporated)

Task: {FA59E9AB-BFFF-4F82-AE03-C093ACF659F8} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000UA => C:\Users\nate\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-09] (Google Inc.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000Core.job => C:\Users\nate\AppData\Local\Facebook\Update\FacebookUpdate.exe

Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000UA.job => C:\Users\nate\AppData\Local\Facebook\Update\FacebookUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000Core.job => C:\Users\nate\AppData\Local\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1022412237-4134323410-1441852971-1000UA.job => C:\Users\nate\AppData\Local\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job => C:\Program Files\PC-Doctor\uaclauncher.exe

Task: C:\Windows\Tasks\SystemToolsDailyTest.job => C:\Program Files\PC-Doctor\uaclauncher.exe

==================== Loaded Modules (whitelisted) =============

2008-09-08 11:19 - 2008-09-08 11:19 - 00022016 _____ () C:\Windows\System32\cl31cl6.dll

2006-12-04 01:26 - 2006-12-04 01:26 - 00022016 _____ () C:\Windows\System32\sugo3l6.dll

2013-09-05 01:17 - 2013-09-05 01:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF

2010-10-20 16:23 - 2010-10-20 16:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

2011-08-10 12:42 - 2010-10-25 21:40 - 00049056 ____N () C:\Program Files\CONEXANT\ForteConfig\fmapp.exe

2011-08-10 12:46 - 2011-03-10 20:10 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll

2011-02-08 17:36 - 2011-02-08 17:36 - 01530168 _____ () C:\Program Files\lenovo\simpletap\SimpleTapResources.dll

2011-02-08 17:36 - 2011-02-08 17:36 - 00027448 _____ () C:\Program Files\lenovo\simpletap\Add-ons\Lenovo\Audio\CoreAudioApi.dll

2011-02-08 17:36 - 2011-02-08 17:36 - 00014136 _____ () C:\Program Files\lenovo\simpletap\Add-ons\Lenovo\Brightness\DisplayBrightnessApi.dll

2011-02-08 17:36 - 2011-02-08 17:36 - 00014648 _____ () C:\Program Files\lenovo\simpletap\Add-ons\Lenovo\ScreenLock\TouchScreenApi.dll

2013-09-24 09:52 - 2014-05-15 11:23 - 00598072 _____ () C:\Users\nate\AppData\Roaming\Spotify\Data\SpotifyHelper.exe

2009-05-27 22:09 - 2009-05-27 22:09 - 00049976 _____ () C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe

2014-03-17 18:09 - 2014-03-17 18:09 - 02967040 _____ () C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll

2011-08-10 12:48 - 2011-03-23 11:48 - 00044544 ____N () C:\Program Files (x86)\ThinkPad\Utilities\US\PWMRT64V.DLL

2014-04-14 10:43 - 2014-04-14 10:43 - 02278912 _____ () C:\ProgramData\Microsoft\Crypto\RSA64\rsa64.dll

2012-05-20 20:41 - 2012-02-17 20:55 - 00193536 _____ () C:\Program Files\WinRAR\rarext.dll

2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll

2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll

2011-08-10 12:49 - 2010-04-06 09:05 - 02085888 _____ () C:\Program Files\Lenovo\AutoLock\cv210.dll

2011-08-10 12:49 - 2010-04-06 09:04 - 02201088 _____ () C:\Program Files\Lenovo\AutoLock\cxcore210.dll

2013-05-18 12:14 - 2014-05-15 11:23 - 36966968 _____ () C:\Users\nate\AppData\Roaming\Spotify\Data\libcef.dll

2014-06-21 08:53 - 2014-06-21 08:53 - 00043008 _____ () c:\users\nate\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpjhnmr6.dll

2013-08-23 12:01 - 2013-08-23 12:01 - 25100288 _____ () C:\Users\nate\AppData\Roaming\Dropbox\bin\libcef.dll

2014-05-08 11:05 - 2014-05-08 11:05 - 00202152 _____ () C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll

2014-05-08 11:05 - 2014-05-08 11:05 - 00018856 _____ () C:\Program Files (x86)\Java\jre7\bin\jp2native.dll

2013-09-05 01:14 - 2013-09-05 01:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF

2010-10-20 16:45 - 2010-10-20 16:45 - 08801120 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll

2014-06-13 22:18 - 2014-06-05 06:58 - 04217672 _____ () C:\Users\nate\AppData\Local\Google\Chrome\Application\35.0.1916.153\pdf.dll

2014-06-13 22:18 - 2014-06-05 06:58 - 00414536 _____ () C:\Users\nate\AppData\Local\Google\Chrome\Application\35.0.1916.153\ppGoogleNaClPluginChrome.dll

2014-06-13 22:18 - 2014-06-05 06:58 - 01732424 _____ () C:\Users\nate\AppData\Local\Google\Chrome\Application\35.0.1916.153\ffmpegsumo.dll

2014-05-05 20:36 - 2014-02-10 13:44 - 04592128 _____ () C:\Users\nate\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll

2014-05-05 20:36 - 2014-02-10 13:44 - 00112128 _____ () C:\Users\nate\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll

2014-06-13 22:18 - 2014-06-05 06:58 - 14612296 _____ () C:\Users\nate\AppData\Local\Google\Chrome\Application\35.0.1916.153\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\TEMP:373E1720

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcmscsvc => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""="Service"

==================== EXE Association (whitelisted) =============

==================== MSCONFIG/TASK MANAGER disabled items =========

==================== Faulty Device Manager Devices =============

Name: Deskjet 3050 J610 series

Description: Deskjet 3050 J610 series

Class Guid:

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Officejet Pro 8500 A909n

Description: Officejet Pro 8500 A909n

Class Guid:

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:

==================

System errors:

=============

Microsoft Office Sessions:

=========================

==================== Memory info ===========================

Percentage of memory in use: 68%

Total physical RAM: 3983.23 MB

Available physical RAM: 1250.21 MB

Total Pagefile: 7964.65 MB

Available Pagefile: 4078.8 MB

Total Virtual: 8192 MB

Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (Windows7_OS) (Fixed) (Total:281.29 GB) (Free:49.48 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Drive q: (Lenovo_Recovery) (Fixed) (Total:15.62 GB) (Free:7.51 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: FED75091)

Partition 1: (Active) - (Size=1 GB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=281 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=16 GB) - (Type=07 NTFS)

==================== End Of Log ============================

AdvancedSetup · July 15, 2014

Hello and :welcome:

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:

If you're using
Peer 2 Peer
software such as
uTorrent, BitTorrent
or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have
illegal/cracked software, cracks, keygens etc
. on the system, please remove or uninstall them now and read the policy on
Piracy
.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
If the log is too large then you can use attachments by clicking on the More Reply Options button.
Please enable your system to show hidden files: How to see hidden files in Windows
Make sure you're subscribed to this topic:
- Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
[*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)

STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1

Link 2

On Windows XP double-click on the Rkill desktop icon to run the tool.
On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again.

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

Please download ERUNT from one of the following links: Link1 | Link2 | Link3
ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
Double click on erunt-setup.exe to Install ERUNT by following the prompts.
NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
Choose a location for the backup.
- Note: the default location is C:\Windows\ERDNT which is acceptable.
[*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 02
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below please see the following: MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

STEP 03
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

RogueKiller 32-bit | RogueKiller 64-bit
Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Don't run any other options, they're not all bad!!
Post back the report which should be located on your desktop.

Thank you

nlu122 · July 16, 2014

Hey Advanced setup,

Thanks so much for doing this. Just letting you know that I ran a few scans yesterday in order to keep my computer from crashing on me (as it has)... so these scans might not show very much...

Also, I copied and pasted all the scan logs into one txt file. Let me know if it's easier for you if they're in separate replies.

Thanks again!

ROOTKILL: ____________________________________________________________________________________________________________

Rkill 2.6.7 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 07/15/2014 09:40:10 PM in x64 mode.

Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.

Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* Cannot edit the HOSTS file.

* Permissions Fixed. Administrators can now edit the HOSTS file.

* HOSTS file entries found:

127.0.0.1 localhost

::1 localhost

188.40.62.183 www.google-analytics.com.

188.40.62.183 google-analytics.com.

188.40.62.183 connect.facebook.net.

94.242.222.115 www.google-analytics.com.

94.242.222.115 google-analytics.com.

94.242.222.115 connect.facebook.net.

Program finished at: 07/15/2014 09:43:48 PM

Execution time: 0 hours(s), 3 minute(s), and 38 seconds(s)

ERUNT:____________________________________________________________________________________________________________

ERUNT - The Emergency Recovery Utility NT

=========================================

Registry Backup and Restore for Windows NT/2000/2003/XP

v1.1j, 10/20/2005, Freeware

Written by Lars Hederer

e-mail: lars.hederer@t-online.de

Look for the latest version here:

http://www.larshederer.homepage.t-online.de/erunt

To find out what's new in this version, please see the "Version

history" section later in this file.

Introduction

------------

With the invention of Windows 95 Microsoft made the wise decision to

organize all computer- and application-specific data which was spread

over countless INI files before in a centralized Windows database,

called the system "registry". The registry is one of the most

important parts in every Windows system today, without which the OS

would not even boot. And since the registry is quite sensitive to

corruption, it is very advisable to backup its according files from

time to time.

In MS-DOS based Windows versions (95, 98, Me) the registry consists of

the files SYSTEM.DAT and USER.DAT (and CLASSES.DAT in Windows Me). To

backup these files, one can easily go to the Windows folder in

Explorer and copy the files to a safe location, for example another

folder on the hard disk. Microsoft even supplies a utility called ERU

which can be used to backup these and a few other critical system

files to a safe location.

Also, Windows 9x/Me automatically create backups of the registry at

startup, with Windows 95 always backing up the registry from the

previous Windows session, and Windows 98/Me maintaining up to five

registry copies from the last five days where Windows was running.

Unfortunately, this is not the case with Windows versions based on the

NT kernel. In Windows NT and 2000, the registry is never backed up

automatically, and in XP it is backed up only as part of the bloated

and resource hogging System Restore program which cannot even be used

for a "restore" should a corrupted registry prevent Windows from

booting. It has also become impossible to copy the necessary files,

now called "hives" and usually named DEFAULT, SAM, SECURITY, SOFTWARE,

SYSTEM in the SYSTEM32\CONFIG folder, to another location because they

are all in use by the OS. And though the registry in an NT-based

Windows is less likely to become corrupted than in other versions, it

can still happen, and for these cases NT is simply missing an option

for easy registry backup and restore as there is in Windows 9x/Me, to

get the system up and running again in no time.

In 2001, as Windows XP began to come pre-installed on many new home

user PCs and was likely to become the new Windows standard over the

next years, I decided to write a program which offers the ease-of-use

of Windows 9x/Me ERU by Microsoft (hence the name ERUNT) to backup the

registry, as well as providing an auto-backup capability, for example

at Windows startup.

Or, before installing a new program for testing purposes one could

save the registry with ERUNT, install and test the program, uninstall

it and restore the registry to be 100% sure that no debris is left.

Note: The "Export registry" function in Regedit is USELESS (!) for

making a complete backup of the registry. Neither does it export the

whole registry (for example, no information from the "SECURITY" hive

is saved), nor can the exported file be used later to replace the

current registry with the old one. Instead, if you re-import the file,

it is merged with the current registry without deleting anything that

has been added since the export, leaving you with an absolute mess of

old and new entries.

Features

--------

- Backup the Windows NT/2000/2003/XP registry to a folder of your

choice

- System and current user registries selectable

- Command line switches for automated registry backup and restoration

- Restore the registry in Windows 9x/Me/NT/2000/2003/XP and MS-DOS

(all-in-one restore program) or the Windows Recovery Console

- Included in this package:

NTREGOPT program for optimizing the registry

- All programs in this package are completely localizable

(translate them into your language), German version included

Supported operating systems

---------------------------

- Windows NT 3.51

- Windows NT 4.0

- Windows 2000

- Windows 2003

- Windows XP

- most likely, all future Windows versions based on the NT kernel

Additionally supported by the ERDNT restore program:

- MS-DOS

- Windows 95

- Windows 98

- Windows Me

Installation

------------

Use the Setup program to install ERUNT on your computer.

Or, if you downloaded the zipped version: Unzip all files into a

folder of your choice, and if you want, create shortcuts on your

desktop to the ERUNT.EXE and NTREGOPT.EXE files.

Uninstallation

--------------

Use "Add/Remove Programs" in Windows' control panel to remove ERUNT

from your computer.

Or, if you downloaded the zipped version: Delete the ERUNT folder,

delete the appropriate desktop icons.

(You may also want to delete all restore folders you have previously

created with the program.)

Backing up the registry with ERUNT

----------------------------------

Note: To ensure proper operation of ERUNT, you should be logged in as

a system administrator.

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry

files should be saved, or click "..." to browse your computer's drives

and select a folder. You can also simply leave the default, which is a

folder named ERDNT inside your Windows folder, the advantage being

that you have access to this folder from the Windows Recovery Console

in case Windows does not boot anymore.

Note that in the folder edit field, ERUNT by default appends a folder

named the current date to the restore folder, which allows you to keep

as many registry backups as you wish in the same restore folder,

separated into the different creation dates. This feature, as well as

the appearance of the date string, can be configured via the ERUNT.INI

file, described later in this document. If you want the registry backup

to be created directly in the folder you select, you can also simply

remove the date from the folder edit field before clicking "OK".

Next, select the backup options:

- System registry: The current system registry, usually consisting of

the files DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM.

- Current user registy: The registry files for the currently logged-on

user, usually NTUSER.DAT and USRCLASS.DAT.

- Other open user registries: Sometimes Windows has a few other user

registries in memory. Examples for this are "generic" registries,

e.g. for user "EVERYONE", or registries of other users if you use

Fast Task Switching in Windows XP. Check this option to backup all

these additional user registries (if found) as well.

Click "OK" and wait until the backup process is complete. (Note that

depending on your system configuration this may take some time, and

that the first bar is NOT a progress bar, just an indicator that the

program is still running.) The ERDNT program for later restoration of

the registry is automatically copied to the restore folder.

(Technical information: ERUNT saves only registry files which are in

use by the system. It obtains information about these files from

registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\

hivelist. Registry hives not listed there, for example those

of other users of the computer, cannot be saved by ERUNT.)

ERUNT command line switches

---------------------------

ERUNT supports command line switches with which you can perform an

automated registry backup, without user interaction. The syntax for

the ERUNT command line is as follows:

ERUNT DestinationFolder [sysreg] [curuser] [otherusers]

[/noconfirmdelete] [/noprogresswindow]

DestinationFolder is required for command line operation of ERUNT,

all other switches are optional.

If you specify a destination folder on the command line, ERUNT

automatically runs in "silent" mode and with default backup options

(system and current user registry). No user interaction is required,

EXCEPT the confirmation of the restore folder deletion if it exists,

or any error messages. The confirmation question can be suppressed

by using /noconfirmdelete (see below).

Description of the command line switches:

DestinationFolder

The name of the folder where the registry backup should be saved.

Example: C:\WINDOWS\ERDNT

You can use the strings #Date# and #Time# anywhere in the folder

name to have ERUNT insert the current date/time at that position.

Example: C:\WINDOWS\ERDNT\#Date#

Windows' %SystemRoot% environment variable can be used on the

command line as a substitute for the name of the Windows folder.

Example: %SystemRoot%\ERDNT\#Date#

sysreg

Backup the system registry

curuser

Backup the current user registry

otherusers

Backup other open user registries

(Note: If none of the three above options is given on the command

line, ERUNT automatically uses the default backup options, system

and current user registry.)

/noconfirmdelete

Automatically deletes the contents of the destination folder if it

exists, without asking the user. BE CAREFUL and only use this option

if you are sure that the contents of that folder may really be

deleted!

/noprogresswindow

Hides the progress window during backup.

So, to backup the system registry to folder C:\ERDNT each day of the

week using subfolders with the name of the current day you could use

the integrated scheduler in Windows to schedule seven different ERUNT

calls for each day:

For Monday you would use the command line

C:\ERUNT\ERUNT.EXE C:\ERDNT\Monday sysreg /noconfirmdelete

For Tuesday you would use the command line

C:\ERUNT\ERUNT.EXE C:\ERDNT\Tuesday sysreg /noconfirmdelete

... well, you get the idea.

Or, to have ERUNT automatically backup the registry on each Windows

startup to a folder named "ERDNT" inside the Windows folder, including

a folder named the current date, you could place a shortcut like the

following in your Start Menu/Programs/Startup folder:

C:\ERUNT\ERUNT.EXE %SystemRoot%\ERDNT\#Date# /noconfirmdelete

If you want old restore folders created this way to be deleted

automatically from time to time, you can use AUTOBACK.EXE instead of

ERUNT.EXE. The AUTOBACK tool is described later in this document.

Also, ERUNT Setup offers the choice to add an AutoBackup shortcut to

the Startup folder automatically during the installation process.

The ERUNT.INI file

------------------

You can configure various ERUNT settings with this file, for example

change the default destination folder displayed in ERUNT's folder edit

field, or disable automatic appendation of the current date there.

Use Notepad to create a file named ERUNT.INI in your ERUNT folder, and

add the following line:

[ERUNT]

Below this line, enter one or more of the following configuration

options:

DefaultDestinationFolder

The name of the default folder displayed in ERUNT's folder edit

field. You may also use environment variables here, for example

%SystemRoot% as a substitute for the name of the Windows folder.

Default: %SystemRoot%\ERDNT

Example:

DefaultDestinationFolder=C:\ERDNT

AppendDateToFolderEditField

Enable or disable automatic appendation of the current date to

ERUNT's folder edit field.

0=disable, 1=enable, default: 1

Example:

AppendDateToFolderEditField=0

AppendTimeToFolderEditField

Enable or disable automatic appendation of the current time to

ERUNT's folder edit field. This function can only be enabled in

conjunction with AppendDateToFolderEditField also set to 1.

0=disable, 1=enable, default: 0

Example:

AppendTimeToFolderEditField=1

DateFormat

DateSeparator

These settings configure the appearance of the date string in

ERUNT's folder edit field, or when #Date# is used on the command

line. By default, ERUNT uses Windows' regional settings for the

short date format. Note that only "." and "-" are allowed as date

separators.

Example:

DateFormat=mm/dd/yyyy

DateSeparator=-

TimeFormat

TimeSeparator

These settings configure the appearance of the time string in

ERUNT's folder edit field, or when #Time# is used on the command

line. By default, ERUNT uses Windows' regional settings for the

short time format. Note that only "." and "-" are allowed as time

separators.

Example:

TimeFormat=hh:mm:ss

TimeSeparator=.

DisableFastBackup

On supported operating systems (including Windows XP and Server

2003) ERUNT by default uses a very fast backup algorithm. If you

experience any problems during registry backup, you can try to

disable this function and revert back to the conventional (but slow)

method. This setting has no effect on unsupported operating systems,

where the conventional algorithm is always used.

0=fast method, 1=conventional method, default: 0

Example:

DisableFastBackup=1

The AUTOBACK.EXE tool

---------------------

The command line tool AUTOBACK.EXE uses the same syntax as ERUNT but

performs the additional task of deleting old restore folders after the

new backup has been created.

For this to work properly, the name of the last folder in the command

line option DestinationFolder must begin with the current date, or the

#Date# string, respectively. If this is the case AUTOBACK

automatically searches the parent folder of the newly created backup

for folder names of the same date format and deletes all folders

except from the last 30 days where backups have been created.

The number of restore folders to keep can be changed using the /days:n

command line switch, e.g. /days:7 would only keep the folders from the

last 7 backup days.

By default AUTOBACK does not create a new backup if one already exists

for the current day. Use the /alwayscreate switch to change this

behavior and have the program always create a new backup.

AUTOBACK is dependent on ERUNT and therefore needs to be executed from

the same folder. It uses the same settings for the date format as

ERUNT does, so if you specified a new format in ERUNT.INI it will also

be used automatically by AUTOBACK.

Restoring the registry with ERDNT

---------------------------------

Situation: Windows is running normally.

To restore a previous registry backup, open Windows Explorer, navigate

to the folder where you saved the backup to, and double-click the

ERDNT.EXE file to start the restoration program. (Each restore folder

has its own copy of ERDNT.EXE in it.) Select which registry components

to restore, then click "OK" to start restoration. When the process is

complete, click "OK" to restart the computer and activate the restored

registry.

Note: If you experience any problems restoring the registry, please

read "ERDNT technical information" later in this document to learn

what ERDNT is actually doing during the process, or simply read on

through the following emergency scenarios for other ways of restoring

the registry.

What to do if Windows does not boot anymore?

--------------------------------------------

If Windows refuses to boot normally it can be for a variety of

reasons, not the least of which is that the registry is damaged, or

you installed a program or driver which is somewhat incompatible with

the system or buggy, in which case restoring a registry backup from a

point where everything was running smoothly should also help.

The first thing to try is to reboot and press the F8 key immediately

before the first Windows screen appears, then select the "Last Known

Good" option from the menu and see if Windows boots up with this

option. If it does, you're all set.

If it does not, reboot again with F8, and select the option "Safe

Mode". If Windows boots up in safe mode, you can restore a registry

backup just as you would in normal mode, as described above.

If safe mode also fails, read on...

Restoring the registry with ERDNT - Emergency Scenario I

--------------------------------------------------------

Situation: Windows fails to boot up in normal and safe mode, but you

have a DOS boot disk or another (working) operating system installed

on your PC which is supported by the ERDNT restoration program, and

from which you have full access to the drive(s) containing the corrupt

Windows installation and the registry backup.

Boot up to the working OS, and open the folder containing the registry

backup you want to restore.

If the drive letters are different to as they were in the Windows

where you created the registry backup, you need to edit the ERDNT.INF

file now to reflect the new drive letters, before trying to restore

the registry backup. For example, if the drive with the corrupt

Windows installation is now available as D: instead of C:, then you

would change all C:\... references in the INF file to D:\... . Editing

the file can be done in Windows with the Notepad program, and in DOS

with the EDIT command.

Now run the ERDNT.EXE file to start the restoration program. Select

which registry components to restore (just the system registry will do

in most cases), then start restoration. When the process is complete,

reboot the computer and check if the other Windows installation is

repaired now.

Restoring the registry with ERDNT - Emergency Scenario II

---------------------------------------------------------

Situation: Windows fails to boot up in normal and safe mode, and you

have no other working operating system installed on your PC.

The following two rescue methods require that your PC is configured so

that it can boot from CD. See your BIOS documentation for more

information.

1. Bart's PE Builder

Use another computer with Internet access and CD burning capabilities

to download this free program from the Internet (do a Google search

for it), which will create a bootable Windows CD with full access to

all drives (including NTFS). Boot from this CD, open the File

Management Utility and follow the directions in "Emergency Scenario I"

to run ERDNT and restore the registry.

2. The Windows Recovery Console (Windows 2000 and higher)

Note that you can use this method only if you saved the registry

backup inside the Windows folder, and that using this procedure only

the system registry is restored. This should however get you back into

Windows, from where you can run the ERDNT program to restore user

registries, if necessary.

- Boot your system from the Windows 2000/2003/XP CD-ROM.

- At the welcome screen, press "R" (Windows 2000: "R" then "C").

- Type in the number of the Windows installation you want to repair

(usually 1), then press ENTER.

- Type in the Administrator password (leave blank if you are unsure

what it is) and press ENTER.

- At the command prompt type

cd erdnt

or whatever you named your restore folder, then press ENTER.

- If you enabled automatic registry backup on system boot during ERUNT

installation and want to restore one of these backups, type

cd autobackup <ENTER>

- If you created subfolders for different registry backups (for

example, with the different creation dates), type

dir <ENTER>

to see a list of available folders, then type

cd foldername <ENTER>

where foldername is the name of a folder listed by the dir command,

to open that folder.

- Now type

batch erdnt.con <ENTER>

to restore the system registry from that folder.

- Type

exit <ENTER>

and remove the CD from the CD-ROM drive. The system will now reboot

with the restored registry.

ERDNT technical information

---------------------------

ERDNT knows two restoration modes. The right mode is usually auto-

detected each time ERDNT is run, but read on if you are experiencing

problems restoring the registry.

"NT" mode is used if you run the ERDNT program from within the same

system where you made the backup. This is determined by looking at the

[systemRoot] entry in the ERDNT.INF file and comparing it to the

actual %SystemRoot% environment variable. Using "NT" mode is the only

way to successfully restore the active registry of the currently

running OS.

"File copy" mode is used if the currently running OS is NOT NT-based,

or if the [systemRoot] entry does not match the %SystemRoot%

environment variable. In this mode the backed up registry files are

simply copied back to their original location.

MS-DOS based ERDNT only supports "File copy" mode.

Note: In restoration mode "NT" backups of the current registry files

are automatically created, so that option is grayed out. In

restoration mode "File copy" all saved user registries are

automatically restored, so you cannot choose between "current user"

and "other user" registries.

The backups of the current registry files are placed in the same

location as the original and are given the extension ".bak".

Experienced users don't even need to use the ERDNT program in other

operating systems to restore a registry backup. Given access to the

appropriate files and folders, the backed up files can simply be

copied back to their original location, as that is all ERDNT does

in "File copy" mode anyway. Have a look at the ERDNT.INF file to

find out what the original file locations are.

ERDNT command line switches

---------------------------

The ERDNT program also supports command line switches for "silent"

operation. The syntax for the ERDNT command line is:

ERDNT silent [sysreg] [curuser] [otherusers]

[/mode:nt|filecopy] [/nobackup] [/noprogresswindow] [/reboot]

(Switches in brackets are optional.)

Description of the command line switches:

silent

Puts ERDNT into "silent" mode and enables all other switches.

sysreg

Restore the system registry

curuser *

Restore the current user registry

(This option is ignored in "File copy" restoration mode.)

otherusers

Restore other saved user registries

(Note: If none of the three above options is given on the command

line, ERDNT automatically uses the default restoration options, system

and current user registry.)

/mode:nt or /mode:filecopy *

Disables automatic detection of the correct restoration mode and

uses mode "NT" or "File copy" instead.

/nobackup

Don't make backups of the current registry files during restoration.

(This switch is ignored in "NT" restoration mode.)

/noprogresswindow

Hides the progress window during restoration.

/reboot *

Automatically reboots the computer when restoration of the registry

is complete.

* = Not supported in the DOS version of ERDNT.

Optimizing the registry with NTREGOPT

-------------------------------------

Similar to Windows 9x/Me, the registry files in an NT-based system

can become fragmented over time, occupying more space on your hard

disk than necessary and decreasing overall performance. You should

use the NTREGOPT utility regularly, but especially after installing

or uninstalling a program, to minimize the size of the registry files

and optimize registry access.

The program works by recreating each registry hive "from scratch",

thus removing any slack space that may be left from previously

modified or deleted keys.

Note that the program does NOT change the contents of the registry in

any way, nor does it physically defrag the registry files on the drive

(as the PageDefrag program from SysInternals does). The optimization

done by NTREGOPT is simply compacting the registry hives to the

minimum size possible.

To optimize your registry, simply run NTREGOPT, click "OK", and when

the process is complete click "OK" to reboot the computer. You should

do so immediately because any changes made to the registry after

NTREGOPT has been run are lost after the reboot.

NTREGOPT command line switches

------------------------------

The syntax for the NTREGOPT command line is:

NTREGOPT silent [/noprogresswindow] [/reboot]

(Switches in brackets are optional.)

Description of the command line switches:

silent

Puts NTREGOPT into "silent" mode and enables the other switches.

/noprogresswindow

Hides the progress window during optimization.

/reboot

Automatically reboots the computer when optimization of the registry

is complete.

Known problems

--------------

ERUNT and NTREGOPT sometimes fail with error 1450 - "Insufficient

system resources exist to complete the requested service" - when

trying to save a registry hive. I have not yet been able to reproduce

this error on any PC, and reports from affected users indicate that it

also pops up when trying to back up the critical hive using

Microsoft's REGBACK program. This makes it unlikely that there is

anything I can do on my (the programmer's) side. Some users reported

however that they were able to work around the problem by running

ERUNT/NTREGOPT in Windows' safe mode, and in one case uninstalling a

Symantec software suite solved it permanently. One user reported that

increasing the "IRPStackSize" value as described in Microsoft

Knowledge Base article 177078 fixed the problem on his system.

When the system is rebooted after a restoration of the registry with

ERDNT or optimization with NTREGOPT, Windows Server 2003 will by

default display the shutdown event tracker during logon asking why the

system has been shut down unexpectedly. This is because the info that

the shutdown was in fact an expected one is written to the "old"

registry during shutdown of the system which is replaced by the

restored/optimized registry next time the system is booted, and

therefore the shutdown info is discarded and shutdown event tracker

thinks the system crashed. You may want to disable the tracker to

avoid this message in the future (see the Windows help for information

on how to do this).

If you experience any other problems, please email me at

lars.hederer@t-online.de with a detailed description and I will see if

I can help you.

Localization

------------

You can translate all programs from this package into your language by

editing the appropriate .LOC file.

Keep in mind that the LOC files of the three Windows programs (ERUNT,

ERDNTWIN, NTREGOPT) should be edited using a Windows based editor

(Notepad), and ERDNTDOS.LOC using an MS-DOS based editor (EDIT.COM).

This is to ensure that any OEM characters are displayed correctly in

the program.

If your language is not yet present on my homepage and you want your

localization to be available to the general public, you are welcome to

send the four translated files to me. I will then make them available

for download, with credits of course.

I have included a German language pack. If you want to use the program

in German, simply unzip LOC_GER.ZIP into your ERUNT folder.

Version history

---------------

v1.1j, 10/20/2005

- Fixed compatibility issues with 64-bit Windows (many thanks to

Ian Smith and Hajo for all testing)

- Enhanced error messages

- AutoBackup now supports all date formats

- ERUNT.INI: "TimeSeparator" fixed; "DefaultDestinationFolder" now

supports all environment variables (previously only %SystemRoot%

could be used)

- ERDNT now displays the source Windows folder in addition to the

backup's creation date

v1.1i, 08/17/2005

- AutoBackup: Improved support for complex date formats

- NTREGOPT: Optimization results are now calculated correctly when

optimization failed on one or more hives

v1.1h, 03/06/2005

- Updated homepage address

- New ERUNT.INI option: AppendTimeToFolderEditField

- Fixed a problem where the current user registry could not be

identified on some systems

- Changed behavior of AutoBackup's /days:n switch

v1.1g, 11/02/2004

- ERUNT is now MUCH faster on Windows XP and Server 2003

- Added time string support on the command line

- AutoBackup now by default skips creating a backup for the current

day if one already exists

v1.1f, 08/26/2004

- Added AUTOBACK.EXE command line tool for automated registry backup

and deletion of old restore folders created prior to a specific

number of days

- Window position is now screen center instead of desktop center,

fixing display problem when using multiple monitors (thanks John

v1.1e, 07/31/2004

- Appearance of the date string can be configured via ERUNT.INI

- NTREGOPT: Optimization results: use thousand separator

v1.1d, 07/07/2004

- Optimized error handling

- Combined DOS and Windows ERDNT into a single Win32 executable,

fixing problems with the previous 16-bit exe stub on some systems

and with BartPE

- Added Windows Recovery Console support with ERDNT batch file

- Default destination folder can now be configured via file ERUNT.INI,

replacing #DestinationFolder command line option

- Changed the default destination folder to be inside the Windows

folder, for easy recovery console access

- New folder named the current date is automatically appended to

destination folder (can be disabled in ERUNT.INI)

- Rewrote major parts of the documentation

v1.1c, 05/10/2004

- Fixed problems with dynamic disks

- Added browse function for destination folder, as well as the option

to change the default name (use #DestinationFolder on the command

line)

- Re-added support for Windows NT 3.51 (got lost with v1.1) except

browse function

v1.1b, 04/23/2004

- ERUNT and NTREGOPT are now compatible with Windows Server 2003 and

Windows XP Service Pack 2

- Fixed a problem where the registry hives could not be

saved/restored/optimized on some systems

- Changed naming convention for user subfolders in the ERDNT folder

v1.1a, 10/03/2002

- Fixed a problem where the registry hives could not be

saved/restored/optimized on some systems

v1.1, 09/25/2002

- Fixed "Invalid pointer operation" message which occurred on some

systems (many thanks to Russ Cordner for his assistance in isolating

the problem)

- Fixed "Error opening localization file" message when ERUNT.EXE was

called from outside the ERUNT folder

- Fixed some problems with UNC path names

- Added command line support for ERDNT and NTREGOPT

- NTREGOPT: show optimization results (initial and new registry size)

v1.0, 11/24/2001

- Initial release

Distribution

------------

The ERUNT package (including the programs ERUNT, AUTOBACK, ERDNT and

NTREGOPT) is freeware. Please pass it to anyone who you think may find

it useful.

I explicitly allow this package to be included in any file archive,

CD-ROM or other media collection as well as usage in your own programs

provided that all files are kept and remain unchanged. A quick note

via e-mail where my program has been included is appreciated.

Donations

---------

Though I chose to make my programs freeware so that no one is required

to pay for using them, I accept and appreciate donations. So, if you

find my programs helpful and want to support further development,

simply visit my homepage and click one of the "PayPal" buttons, or

donate directly to my e-mail address via PayPal. Thanks in advance!

If you live in Germany and want to make a donation, you may also

transfer money directly to my bank account. Contact me for more

information.

Disclaimer

----------

Use this software at your own risk. I do not take responsibility for

anything that might happen to you or the PC upon use of my programs,

including but not limited to: registry destruction, hard disk crash,

heart attack...

Comments and suggestions via e-mail, however, are always welcome!

MBAM:__________________________________________________________________________________________________________

Malwarebytes Anti-Malware

www.malwarebytes.org

Scan Date: 7/15/2014

Scan Time: 9:50:06 PM

Logfile:

Administrator: Yes

Version: 2.00.2.1012

Malware Database: v2014.07.16.02

Rootkit Database: v2014.07.14.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: nate

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 318742

Time Elapsed: 20 min, 54 sec

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

Processes: 0

(No malicious items detected)

Modules: 0

(No malicious items detected)

Registry Keys: 0

(No malicious items detected)

Registry Values: 0

(No malicious items detected)

Registry Data: 1

PUP.Optional.Spigot.A, HKU\S-1-5-21-1022412237-4134323410-1441852971-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://search.yahoo.com/?type=586383&fr=spigot-yhp-ie, Good: (www.google.com), Bad: (http://search.yahoo.com/?type=586383&fr=spigot-yhp-ie),Replaced,[2351574806752e08b4cbafe83cc80af6]

Folders: 0

(No malicious items detected)

Files: 1

PUP.Optional.Spigot.A, C:\Users\nate\AppData\Roaming\Mozilla\Firefox\Profiles\ggzx4tok.default\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "http://search.yahoo.com/?type=586383&fr=spigot-yhp-ff")

, Replaced,[bcb8930cc5b626101f82b8182ed6a65a]

Physical Sectors: 0

(No malicious items detected)

(end)

ROGUEKILLER:________________________________________________________________________________________________________

RogueKiller V9.2.3.0 (x64) [Jul 11 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : nate [Admin rights]

Mode : Scan -- Date : 07/15/2014 22:31:47

¤¤¤ Bad processes : 2 ¤¤¤

[suspicious.Path] explorer.exe -- C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll[-] -> UNLOADED

[suspicious.Path] explorer.exe -- C:\ProgramData\Microsoft\Crypto\RSA64\rsa64.dll[-] -> UNLOADED

¤¤¤ Registry Entries : 4 ¤¤¤

[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND

[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND

[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND

[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 4 (Driver: LOADED) ¤¤¤

[EAT:Addr] (explorer.exe) WTSAPI32.dll - DllCanUnloadNow : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefadf2350

[EAT:Addr] (explorer.exe) WTSAPI32.dll - DllGetClassObject : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefadf2130

[EAT:Addr] (explorer.exe) WTSAPI32.dll - DllRegisterServer : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefadf1f70

[EAT:Addr] (explorer.exe) WTSAPI32.dll - DllUnregisterServer : C:\Program Files (x86)\Google\Drive\googledrivesync64.dll @ 0x7fefadf2060

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: ST320LT007-9ZV142 +++++

--- User ---

[MBR] e24043ac1ebdcdd8e91002d173315f79

[bSP] b002acaee9e3af0ee23a58f6a009ebee : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1200 MB

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2459648 | Size: 288043 MB

2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 592371712 | Size: 16000 MB

User = LL1 ... OK

User = LL2 ... OK

============================================

RKreport_DEL_05312014_004712.log - RKreport_DEL_06062014_092343.log - RKreport_DEL_06082014_210327.log - RKreport_DEL_06142014_221022.log

RKreport_DEL_06172014_065637.log - RKreport_DEL_06182014_123948.log - RKreport_DEL_06212014_091441.log - RKreport_DEL_06302014_070804.log

RKreport_DEL_06302014_071122.log - RKreport_DEL_07072014_085838.log - RKreport_DEL_07152014_155411.log - RKreport_SCN_05312014_004533.log

RKreport_SCN_06062014_092151.log - RKreport_SCN_06082014_210223.log - RKreport_SCN_06142014_161913.log - RKreport_SCN_06172014_065125.log

RKreport_SCN_06182014_123100.log - RKreport_SCN_06202014_001517.log - RKreport_SCN_06212014_090716.log - RKreport_SCN_06212014_170908.log

RKreport_SCN_06302014_070756.log - RKreport_SCN_06302014_071055.log - RKreport_SCN_07072014_085820.log - RKreport_SCN_07152014_154524.log

AdvancedSetup · July 16, 2014

Please go ahead and run through the following steps and post back the logs when ready.

STEP 04
Please download Junkware Removal Tool to your desktop.

Shutdown your antivirus to avoid any conflicts.
Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next reply message
When completed make sure to re-enable your antivirus

STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
When it's done you'll see: Pending: Please uncheck elements you don't want removed.
Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
Look over the log especially under Files/Folders for any program you want to save.
If there's a program you may want to save, just uncheck it from AdwCleaner.
If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
If you're ready to clean it all up.....click the Clean button.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
To restore an item that has been deleted:
Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

STEP 07

Please go here to run the online antivirus scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings and ensure these options are ticked:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
[*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

Double-click to run it. When the tool opens click Yes to disclaimer.
Press the Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

nlu122 · July 17, 2014

Hey, I'm not sure you read my personal message to you, but I won't be here this weekend starting today until Monday. I just wanted to let you know so you don't delete my forum post and you don't think I'm abandoning you before we're done cleaning. I really need your help so please don't delete my post!

Thanks again!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.1.4 (04.06.2014:1)

OS: Windows 7 Home Premium x64

Ran by nate on Wed 07/16/2014 at 13:06:38.25

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Wed 07/16/2014 at 13:15:52.35

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# AdwCleaner v3.215 - Report created 16/07/2014 at 13:39:15

# Updated 09/07/2014 by Xplode

# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

# Username : nate - NATHANS

# Running from : C:\Users\nate\Desktop\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17207

-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Users\nate\AppData\Roaming\Mozilla\Firefox\Profiles\ggzx4tok.default\prefs.js ]

-\\ Google Chrome v

[ File : C:\Users\nate\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [31507 octets] - [18/03/2014 20:51:46]

AdwCleaner[R1].txt - [1113 octets] - [14/04/2014 17:36:10]

AdwCleaner[R2].txt - [1203 octets] - [08/05/2014 12:16:43]

AdwCleaner[R3].txt - [1251 octets] - [22/05/2014 12:44:27]

AdwCleaner[R4].txt - [1419 octets] - [01/06/2014 01:01:15]

AdwCleaner[R5].txt - [1492 octets] - [02/06/2014 19:21:26]

AdwCleaner[R6].txt - [1544 octets] - [16/07/2014 13:32:09]

AdwCleaner[s0].txt - [32193 octets] - [18/03/2014 20:56:56]

AdwCleaner[s1].txt - [1177 octets] - [14/04/2014 17:38:53]

AdwCleaner[s2].txt - [1267 octets] - [08/05/2014 12:27:40]

AdwCleaner[s3].txt - [1313 octets] - [22/05/2014 16:34:00]

AdwCleaner[s4].txt - [1632 octets] - [01/06/2014 01:08:50]

AdwCleaner[s5].txt - [1465 octets] - [16/07/2014 13:39:15]

########## EOF - C:\AdwCleaner\AdwCleaner[s5].txt - [1525 octets] ##########

Malwarebytes Anti-Malware

www.malwarebytes.org

Scan Date: 7/16/2014

Scan Time: 1:45:49 PM

Logfile:

Administrator: Yes

Version: 2.00.2.1012

Malware Database: v2014.07.16.08

Rootkit Database: v2014.07.14.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: nate

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 318817

Time Elapsed: 42 min, 38 sec

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

Processes: 0

(No malicious items detected)

Modules: 0

(No malicious items detected)

Registry Keys: 0

(No malicious items detected)

Registry Values: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

Folders: 0

(No malicious items detected)

Files: 0

(No malicious items detected)

Physical Sectors: 0

(No malicious items detected)

(end)

ESET SCAN

C:\AdwCleaner\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application

C:\ProgramData\Microsoft\Crypto\RSA64\rsa64.dll a variant of Win64/Sathurbot.A trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmp1952.exe Win64/Simda.A trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmp26AF.exe a variant of Win32/TrojanDropper.Agent.QMS trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmp351B.exe Win32/TrojanDownloader.Agent.AGV trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmp50BE.exe a variant of Win32/Kryptik.CCOZ trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmp5BC4.exe Win32/VB.RNV trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmp872B.exe a variant of Win32/Injector.BEOU trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmp8DB4.exe Win32/Boaxxe.BQ trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmp91B9.exe a variant of Win32/Injector.BHHD trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmp9F20.exe Win32/Boaxxe.BB trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmpA64B.exe Win32/TrojanDownloader.Agent.AGV trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmpA9C5.exe a variant of Win32/Injector.BEJL trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmpBDBF.exe Win32/Boaxxe.BR trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmpDB16.exe Win32/Boaxxe.BR trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmpE377.exe Win32/Simda.B trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmpE948.exe a variant of Win32/Injector.BEXV trojan

C:\ProgramData\Microsoft\Crypto\RSA64\temp\tmpEA7E.exe Win32/Boaxxe.BQ trojan

C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM124.zip Win32/Bagle.gen.zip worm

C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM127.zip Win32/Bagle.gen.zip worm

C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM42.zip Win32/Bagle.gen.zip worm

C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM44.zip Win32/Bagle.gen.zip worm

C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO10.zip Win32/Bagle.gen.zip worm

C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO4.zip Win32/Bagle.gen.zip worm

C:\ProgramData\Spybot - Search & Destroy\Recovery\YontooPagerage2.zip Win32/Bagle.gen.zip worm

C:\ProgramData\Spybot - Search & Destroy\Recovery\YontooPagerage28.zip Win32/Bagle.gen.zip worm

C:\Users\All Users\Microsoft\Crypto\RSA64\rsa64.dll a variant of Win64/Sathurbot.A trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmp1952.exe Win64/Simda.A trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmp26AF.exe a variant of Win32/TrojanDropper.Agent.QMS trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmp351B.exe Win32/TrojanDownloader.Agent.AGV trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmp50BE.exe a variant of Win32/Kryptik.CCOZ trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmp5BC4.exe Win32/VB.RNV trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmp872B.exe a variant of Win32/Injector.BEOU trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmp8DB4.exe Win32/Boaxxe.BQ trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmp91B9.exe a variant of Win32/Injector.BHHD trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmp9F20.exe Win32/Boaxxe.BB trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmpA64B.exe Win32/TrojanDownloader.Agent.AGV trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmpA9C5.exe a variant of Win32/Injector.BEJL trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmpBDBF.exe Win32/Boaxxe.BR trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmpDB16.exe Win32/Boaxxe.BR trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmpE377.exe Win32/Simda.B trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmpE948.exe a variant of Win32/Injector.BEXV trojan

C:\Users\All Users\Microsoft\Crypto\RSA64\temp\tmpEA7E.exe Win32/Boaxxe.BQ trojan

C:\Users\All Users\Spybot - Search & Destroy\Recovery\SweetIM124.zip Win32/Bagle.gen.zip worm

C:\Users\All Users\Spybot - Search & Destroy\Recovery\SweetIM127.zip Win32/Bagle.gen.zip worm

C:\Users\All Users\Spybot - Search & Destroy\Recovery\SweetIM42.zip Win32/Bagle.gen.zip worm

C:\Users\All Users\Spybot - Search & Destroy\Recovery\SweetIM44.zip Win32/Bagle.gen.zip worm

C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO10.zip Win32/Bagle.gen.zip worm

C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO4.zip Win32/Bagle.gen.zip worm

C:\Users\All Users\Spybot - Search & Destroy\Recovery\YontooPagerage2.zip Win32/Bagle.gen.zip worm

C:\Users\All Users\Spybot - Search & Destroy\Recovery\YontooPagerage28.zip Win32/Bagle.gen.zip worm

C:\Users\nate\AppData\Local\Iqczsoft\hpfpre06.dll Win32/Boaxxe.BE trojan

C:\Users\nate\AppData\Local\Iqczsoft\mainMenuScript.dll Win32/Boaxxe.BE trojan

C:\Users\nate\AppData\Local\Iqczsoft\MFCANS32.dll Win32/Boaxxe.BE trojan

C:\Users\nate\AppData\Local\Iqczsoft\Xaudio.dll Win32/Boaxxe.BE trojan

C:\Users\nate\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\72D0GZD1\yontoosetup[1].exe multiple threats

C:\Users\nate\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L8WKB0QU\landing[1].htm HTML/Iframe.B.Gen virus

C:\Users\nate\AppData\Local\Temp\478.tmp Win64/Simda.A trojan

C:\Users\nate\AppData\Local\Temp\6FAB.tmp Win64/Simda.A trojan

C:\Users\nate\AppData\Local\Temp\D695.tmp Win64/Simda.A trojan

C:\Users\nate\AppData\Local\Temp\FF41.tmp Win64/Simda.A trojan

C:\Users\nate\AppData\Local\Temp\SE8295.tmp.dll a variant of Win64/Kryptik.FI trojan

C:\Users\nate\AppData\Local\Temp\SE97B6.tmp.dll a variant of Win64/Kryptik.FI trojan

C:\Users\nate\AppData\Local\Temp\SECAB6.tmp.dll a variant of Win64/Kryptik.FI trojan

C:\Users\nate\AppData\Local\Temp\SEDED3.tmp.dll a variant of Win64/Kryptik.FI trojan

C:\Users\nate\AppData\Roaming\winter.exe Win32/VB.RNV trojan

C:\Users\nate\AppData\Roaming\wintt.exe Win32/VB.RNV trojan

C:\Users\nate\AppData\Roaming\Adobe\WmiPrv\WmiPrvSE.exe a variant of Win32/TrojanDropper.Agent.QMS trojan

FRST SCAN:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-07-2014 01

Ran by nate (administrator) on NATHANS on 17-07-2014 06:22:29

Running from C:\Users\nate\Desktop